The latest cybersecurity number-crunching from Verizon’s famed annual data breach report lends more weight to an old CISOs maxim: People are the biggest threats organizations face.
Eighty-five per cent of just over 5,000 data breaches examined last year had a human element, according to the Verizon 2021 Data Breach Investigations Report, released Thursday.
Sixty-one per cent involved credentials in one way or another.
This report analyzed 29,207 cybersecurity incidents from 88 countries, 5,258 of which were confirmed breaches.
It tried to answer the questions: What are the most sought-after data types? (The data suggest the answer is credentials followed closely by personal data). Who is most likely to be your attacker? (Probably someone from outside the organization). And what are the top actions behind breaches? (It’s phishing).
The report also analyzed the damage done by incident type, an analysis of incidents broken down by industry, all of which is set out with a wide variety of charts.
The bottom line is this conclusion from the authors: “Doing the basics will help against the vast majority of the problem space that is most likely to affect your organization.”
“When you read the contents of the report, it is tempting to think that a vast array of threats demands a sweeping and revolutionary solution,” lead author Alex Pinto said in a release. “However, the reality is far more straightforward. The truth is that, whilst organizations should prepare to deal with exceptional circumstances, the foundation of their defences should be built on strong fundamentals – addressing and mitigating the threats most pertinent to them.”
Among the nuggets of data:
- Phishing attacks increased by 11 percent last year over 2019, while attacks using ransomware rose by 6 per cent.
- Breach simulations found the median financial impact of a breach is US$21,659, with 95 per cent of incidents falling between US$826 and US$653,587 (all dollars).
- Misdelivery of electronic or paper documents represented 55 percent of financial sector errors, and 36 per cent in the healthcare sector.
- The biggest threat in the public sector was, by far, social engineering attacks. “Actors who can craft a credible phishing email are absconding with credentials data at an alarming rate in this sector.”
Ten per cent of all data breaches studied involved ransomware. This is because threat actors are increasingly stealing data before encrypting it. The use of stolen credentials or brute force attacks is common vectors. Sixty per cent of ransomware cases involved direct install or installation through desktop sharing apps.
In North America (Canada and the U.S.) social engineering and system intrusion were the top causes of incidents. On the other hand, basic web application attacks were the leading cause of incidents in Europe, the Middle East and Africa.
There was also some indication that small organizations are increasingly being victimized. In 2019, small organizations accounted for less than half the number of breaches that large
organizations showed. In 2020 they were much closer: 307 breaches in large and 263 breaches in small organizations.
The report also includes a small essay on effective employee awareness training from the behavioural engineering manager for the information security team at Verizon’s media division, Masha Arbisman. She believes creating a culture of security depends on using behavioural science to change the habits of employees that lead to attacks, and analyzing data of tests to verify training is working.
Over two years, the approach tripled the adoption of a password manager and decreased the overall phishing susceptibility of employees by half, she wrote.
“There is no singular approach to minimizing the human risks that lead to breaches,” she added. “Each corporation experiences different flavours of the same types of attacks and must customize their behavioural engineering and cybersecurity education programs accordingly.”