Here’s A Mind Blowing Stat…. Attackers Can Breach 93% Of Networks In Under A Month

A new study from Positive Technologies found that threat actors can breach 93% of company networks and trigger unacceptable events in under a month. The researchers simulated various APT attack scenarios, applied social engineering tactics like malicious email attachments and analyzed countermeasures deployed. They selected test subjects from key sectors in the United States, including finance, fuel and energy, government, industrial and IT.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“The data shows that with phishing attacks that harvest credentials being the #1 vector for initial compromises points to the challenge that security organizations have when it comes to the “human factor” in breach prevention. It is almost inevitable that one of these campaigns will be effective and with one mistaken click an organization is compromised. Worse yet, a malicious insider can appear to traditional XDR and SIEM’s as legitimate users and basically go unhindered until a major data theft occurs, or ransomware is executed. This is where the organizations can protect themselves by incorporating identity analytics and understanding the risks associated with user access, activity as part of their next generation SIEM. This can help organizations more quickly determine when a malicious insider is improperly using these credentials and prioritize associated risks to their infrastructure”

This illustrates that companies have a lot of work to ensure that they are fully protected from threats regardless of how they present themselves. That way they don’t add to that mind blowing stat.

UPDATE: I also got commentary from Dave Pasirstein, Chief Product Officer and Head of Engineering at

Compromised credentials continue to be highlighted as the most common method for breaches.  For years, the deployment of second factor (2FA) technologies have not materially moved the needle in terms of improvement, because primary factors are still tied to usernames/passwords.  Next-generation passwordless MFA is one of the few alternatives that can improve the situation by completely eliminating the password credential from the system, the account, and the user.”

Leave a Reply

%d bloggers like this: