App vulnerabilities, patching, and ransomware 2016 key security risks: HPE

According to Hewlett Packard Enterprise, application vulnerabilities, patching, and malware monetisation are the three key risks a business needs to pay close attention to as 2016 brings more cunning threat actors to the landscape.

Application vulnerabilities, patching, and malware monetisation are the greatest risks a business is currently facing, according to Hewlett Packard Enterprise (HPE).

In its Cyber Risk Report 2016, HPE said that approximately 75 percent of the mobile applications scanned exhibited at least one critical or high-severity security vulnerability, compared with 35 percent of non-mobile applications, adding that mobile applications tend to see over 10 percent more issues related to security features than other applications do.

"For mobile applications, it is internal system information leaks that lead the most common list," the report says.

"A substantial majority of the applications we saw are storing sensitive information on devices that can be left on restaurant tables, stolen from backpacks, and dropped in toilets."

According to the report, Microsoft and Adobe both released more patches than at any point in their history, saying it remains unclear if this level of patching is sustainable.

"2015 was a record year for the number of security vulnerabilities reported and patches issued, but patching does little good if end users don't install them for fear of unintended consequences," HPE said.

"The most exploited bug from 2014 happened to be the most exploited bug in 2015 as well -- and it's now over five years old.

"Software vendors must be more transparent about the implications of their patches so that end-users aren't afraid to deploy them."

Regarding malware monetisation, HPE said that ransomware attacks targeting the enterprise and individuals are on the rise. It said that as a result, enterprises need to have both increased awareness and preparation on the part of security professionals to avoid the loss of sensitive data.

"In today's environment, malware needs to produce revenue, not just be disruptive," the report says. "The best protection against ransomware is a sound backup policy for all important files on the system."

HPE said that as the number of connected mobile devices expands, malware is diversifying to target the most popular mobile operating platforms.

According to the report, the number of Android threats, malware, and other unwanted applications has grown to more than 10,000 new threats found daily.

"In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown," Shane Bellos, general manager of Enterprise Security Products at HPE, said.

"We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organisation to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth."

Additionally, HPE found that 2015 was the year of collateral damage, as certain attacks affected people that never thought they would be involved in a security breach.

The report singled out the United States Office of Personnel Management (OPM); the federal agency in charge of vetting government workers for security clearance; and the extramarital affairs website Ashley Madison breaches as having affected those who never had direct contact with either entity.

"[Their] information resided in their networks only as it related to someone else -- or, in the case of the Ashley Madison breach, did not appear at all but could be easily deduced from revealed data," the report says.

In July, the US OPM was hit by its second breach of the year, leading to the theft of more than 21 million individuals' records.

The OPM's first breach, which allegedly occurred in April, affected approximately 4 million former and current civil servants.

In one of the most publicised breaches of the year, around 37 million people were caught up in the Ashley Madison attack that saw the personal data of users of the dating site, including credit card transactions, leaked online.

Looking forward, HPE said that 2016 will be spent contending with the events of last year.

"For businesses and their IT departments, vigilance needs to be fortified with action and preparedness," the report says.

Additionally, HPE said that the space to watch over the next year is iOS malware.