Odds are your organization will be breached through a hack than any other method, and most likely by attackers leveraging users’ weak or stolen passwords, according to the annual Verizon Data Breach Investigations Report.

The 10th annual report from the U.S.-based communications giant, issued Thursday, is as usual full of data from 2016 from thousands of incidents reported around the world massaged in various colourful ways. But the bottom line is cyber espionage (stealing information) and ransomware are increasing, and phishing is (still) a leading attack vector.

Ransomware moved from the 22nd most common variety of malware in the 2014 report to the fifth most common,

This year’s analysis was done on 42,068 incidents (defined as a security event that compromises the integrity, confidentiality or availability of an information asset) and 1,935 breaches (actual data loss) last year from more than 84 countries, including Canada. Data was contributed by a number of security vendors.

Despite the concern of CISOs about employees, only 25 per cent of incidents looked at were perpetrated by outsiders, roughly consistent with Verizon data for the past decade. The odds are four to one you’ll be attacked by someone from outside the company.

Depending on the industry sector the odds are more likely you’ll be attacked by a criminal group (51 per cent of the studied group) than a state-affiliated actor (18 per cent).

Just over 60 per cent of breaches involved hacking, but that not the big news: Eighty-one per cent of hacking-related breaches leveraged stolen and/or weak passwords. Forty-three per cent involved what the report calls social attacks (including phishing, pretexting – such as spearphishing attacks on business executives – and extortion), 14 per cent of breaches involved employee errors, while another 14 per cent involved privilege misuse.

Fifty-one per cent of breaches included malware, and 66 per cent of that malware was delivered by malicious email attachments.

Finally – and distressingly – for all the money CISOs spend on detection, 27 per cent of breaches studied were discovered by third parties.

Still, the report says there is cause for hope – if only that the authors expect the data will be wisely used by CISOs.

In an interview Gabriel Bassett, the senior information data scientist on the report’s team, agreed but for a different reason: “Our lack of hope is one of the most profound problems with our [security] industry,” he said. Most infosec pros feel they can’t be as good as attackers, he said, who have “incredible exploits” and can command massive distributed denial of service (DdoS) attacks.

“The reality is that’s not the normal attacker,” he said. The Verizon report is about things that are most likely to happen, and “the things that happen commonly are the things you can do things about. The normal attacker is not an elite, special forces cyber security guru that never sleeps and is conned directly for you. He’s just like you who sits in his version of a cubicle trying to make a buck in the most efficient way possible.

“And if he finds out that his repeatable automated process doesn’t work, if you make yourself just the least bit less susceptible to it, if you figure out what are the key mitigation for my industry and my threats and my risks and implement just a few things, you’re all of a sudden much less economically viable as a target.”

Recommendations to infosec pros from Verizon (NYSE: VZ) include

  1. Stay vigilant: Log files and change management systems can give early warning of a breach;
  2. Make people your first line of defense – train staff to spot the warning signs;
  3. Keep data on a “need to know” basis – only employees that need access to systems to do their jobs should have it;
  4. Patch promptly – this could guard against many attacks;
  5. Encrypt sensitive data – make your data next to useless if it is stolen;
  6. Use two-factor authentication – this can limit the damage that can be done with lost or stolen credentials;
  7. Don’t forget physical security – not all data theft happens online.

The report dices the data set for trends in industries and type of attacks. For example

–in the education sector, cyber-espionage, miscellaneous errors and Everything Else (a catch-all category) represent 67 per cent of all data breaches;

–in the financial/insurance sectors denial of service, Web application attacks and payment card skimming represented 88 per cent of all security incidents;

–in the health care sector privilege misuse, miscellaneous errors and physical theft and loss represented 80 per cent of breaches. Insider misuse is a major issue for this sector; in fact it is the only industry where employees are the predominant threat actors in breaches (68 per cent);

–manufacturing and public service sectors are most likely to be hit by cyber-espionage efforts, usually led by spear-phishing. Over 90 per cent of breaches in the studied group were attributed to state-affiliated actors;

–the entertainment, professional services, public sector, information/communications and finance industries were most likely to be hit with DdoS or telephone denial of service attacks;

–while the insider threat isn’t as common in breaches as external actors, it is still considerable. Healthcare workers are accessing medical databases either to steal personal information of patients for identity theft, or snooping on patient medical histories. Public administration breaches often involve workers employed in law enforcement accessing criminal databases to get dirt on somebody. The report says acceptable use training, and a banner that makes it clear that any access of personal information without a legitimate need will be flagged and dealt with, can deter snooping;

–Web application attacks mainly involved defacing or repurposing Web sites. But 60 per cent of the remaining incidents show that – again — use of stolen credentials, phishing and C2/ backdoors were the lead action varieties this year. Of Web application breaches, 77 per cent involved botnets such as Dridex, many of which are linked to organized crime.