Security Awareness Implications of the 2017 Verizon Data Breach Report
Each year, Verizon publishes a report that highlights data breach and incident trends from the previous year. This report offers significant insight into not just the types of threats organizations face today, but who perpetrates breaches, the tactics used and, perhaps most importantly, the reason organizations find themselves at risk in the first place.
Sadly, in too many of these breaches, security awareness on the part of the affected organization was lacking, and security awareness training could have made a significant difference. While security awareness training cannot provide guaranteed protection and does not play a role in defending against things like DDoS attacks, it has been implicated in a very wide range of breaches that could have been prevented.
Digging into the Findings
The Verizon data breach report is a comprehensive compilation of information, and we’ll do our best to summarize it below, beginning with the most common actors behind breaches and incidents.
Unsurprisingly, 75% of all breaches were instigated by outsiders. However, the remaining 25% of attacks actually involved internal actors. More than half of all incidents involved organized criminal groups and 18% involved state-affiliated actors.
A full 24% of breaches affected organizations in the financial industry, with healthcare organizations coming in second, public sector entities third, and the retail and accommodation industries fourth and fifth, respectively.
The Tactics Most Attackers Use
The report also found that 81% of all hacking related breaches leveraged either stolen passwords or weak passwords. This is a crucial finding, as 62% of all breaches involved hacking. Password theft and compromise are two of the most easily remedied risks to any organization, as is highlighted by security awareness training.
Simply training staff members, managers and executives on how to construct strong passwords, and then changing those passwords regularly, can provide a dramatic reduction in the risk level an organization faces, regardless of industry.
Password theft is just as easily protected against. Security awareness training highlights the importance of never remaining logged into an account when away from a workstation or laptop, the need to avoid writing passwords down and storing them physically, and the importance of using an advanced password tracking system to prevent such theft.
Another finding that is less surprising is the rise of malware used to infiltrate an organization’s network. A full 51% of all breaches included malware, and of those incidents, 66% of malware was ultimately installed by the employee or executive clicking a link in a phishing email.
Phishing has become perhaps the most widespread means of credential theft, but despite that rise, a surprising number of staff members and key decisions makers within organizations large and small remain ignorant of this threat, and how to protect against it. Phishing (and its close cousin spear phishing) is covered thoroughly through security awareness training, which teaches best practices for dealing with these malicious emails.
To give an idea of just how widespread phishing is across all industries, the Verizon report breaks down the median number of phishing campaign clicks by industry. At the top is the manufacturing sector, with 13.35%, followed by information, with 10.76%.
Next was retail, with 10.66%, healthcare with 10.26%, accommodation with 9.71%, public sector organizations with 9.23%, finance organizations with 8.48% and education-related organizations with 6.18%.
An incredible number of attacks each year are directed against human beings (employees) rather than hardware or software protection. In fact, the Verizon report notes that 1,616 incidents occurred in 2016, with over 800 of those resulting in confirmed data disclosure.
93% of social attacks relied on phishing (43% of all human-related attacks in 2016). Virtually all successful phishing attacks led to the installation of malware on a workstation, and almost 30% of those attacks were spear phishing related (highly targeted to specific users).
While malicious emails haven been around for some time, many people are unaware of the threat they present. Prime examples of this include the success of the 2017 Google phishing email that used an image file of a Google Doc to trick recipients into clicking on the icon and downloading malware to their computers.
However, there are numerous other attack types used today, including DDoS and limited DDoS attacks, physical theft of devices like smartphones, laptops and thumb drives, web app attacks, crimeware and point of sale attacks, to name only a few.
Why Are Attacks Targeted in the First Place?
By far, the most common reason for launching an attack in the first place is for financial gain. The Verizon report shows that 73% of all breaches were motivated by money, whether it was direct theft or the theft of information to sell to other parties.
However, that is not the only reason. Up to 21% of breaches were somehow related to espionage, generally industrial espionage, but also including state actors (either government-to-government, or government-to-industry espionage).
Other reasons for attacks include revenge on the part of an ex-employee who felt he or she had been wronged, as well as the “for the fun of it” on the part of new hackers flexing their muscles or attempting to build a reputation.
What’s an Organization to Do?
While there is no substitute for robust hardware and software security, too many organizations overlook the human element. Human users are often the weakest links within a company’s network, and as you can see from the information provided above, many users are simply unaware of best practices related to software hygiene and defeating would-be phishing emails.
The 2017 Verizon Data Breach Report points out, “The data shows that simulated phishing makes a difference.” Security awareness training can make a significant difference in an organization’s risk level. However, training is only one part of what you should be doing. It’s also crucial to focus on attack detection and click reporting as well.