Three factors involved in the bulk of data breaches: Verizon

Credential theft, social engineering attacks (including phishing and business email compromise) and human errors were involved in just over two-thirds of almost 4,000 data breaches around the world last year, according to the 13th annual Verizon Data Breach Investigations Report.

“These tactics prove effective for attackers,” say the report’s authors, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts.”

The 130-page report released this morning aims at giving CISOs a better understanding of the varied threats they face not only generally but in regions and across several industries. This year’s report looks at 16 verticals.

Written in a slightly cheeky style and chock full of statistics, the report uses data from 81 partners (ranging from IT vendors to the U.S. Secret Service) to analyzes 32,000 incidents (events that compromise the integrity, confidentiality or availability of an information asset) and 3,950 data breaches (confirmed disclosures of data).

Among the highlights (or lowlights):

  • Hacking (defined as an attack using stolen credentials, exploiting vulnerabilities or using back doors) was involved in 45 per cent of breaches; 22 per cent involved attacks through social media (including email); 22 per cent involved malware. Also, employee errors were causal events in 17 per cent of breaches, while eight per cent involve the misuse of data by authorized users.
  • Ransomware accounted for 27 per cent of malware incidents (and it was higher some verticals like government and higher education);
  • Web application attacks doubled from 2018 to 43 per cent of all breaches.
  • Internal-error-related breaches almost doubled from 2018 (881, versus last year’s 424). However, report authors believe this increase is likely due to improved reporting requirements because of new legislation and changes in existing law rather than insiders making more frequent mistakes.

There is some good news:

  • Security tools are getting better at blocking common malware. Data shows that Trojan-type malware peaked at just under half of all breaches in 2016 and has since dropped to only 6.5 per cent. Malware sampling indicates that 45 per cent of malware is either droppers, backdoors or keyloggers. “Although this kind of threat is still plentiful, much of it is being blocked successfully,” say the authors.
Who were the victims?
  • Less than five per cent of breaches involved the exploitation of a vulnerability. “In our dataset, we do not see attackers attempting these kinds of attacks that often; only 2.5 per cent of security information and event management (SIEM) events involved exploiting a vulnerability. This finding suggests that most organizations are doing a good job at patching,” says the report. However, it adds, while patching does seem to be working, poor asset management can hide big problems. “Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defences.”

Finally, for those CISOs worried about insiders keep it in perspective: The report’s numbers continue a historical trend showing that insiders account for about 24 per cent of breaches — and a lot of times that’s a user error (losing laptop, misconfigurations).

“What continues to frustrate people like me is email phishing,” commented report co-author John Loveland in an interview. “We all know that it’s problematic, we all know we shouldn’t be clicking on [links in] emails, but there continue to be click-throughs.”

All that’s needed is one person to click on a malicious link for an attack to start, he noted, “but in this day and age with all the attention around phishing and the technologies that are used to intercept phishing emails it’s still a soft-side of security.”

“We as an industry have to get better and removing the human factor out of that exploit, not only from a training perspective but also from a technology perspective… because that is the primary attack vector. That’s an ongoing frustration every year for me.”

Most worthwhile security controls

Finally, the report points to eight controls the data suggests will be worthwhile for most organizations to tighten their security posture. (The numbers in brackets correspond to the Center for Internet Security Critical Security Controls):

  • Continuous vulnerability management (CSC 3). Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfiguration.
  • Secure configurations (CSC 5, CSC 11). Ensure and verify that systems are configured with only the services and access needed
    to achieve their function.
  • Email and Web Browser Protection (CSC 7). Lock down browsers and email clients to give your users a fighting chance.
  • Limitation and Control of Network Ports, Protocols and Services (CSC 9). Understand what services and ports should be exposed on your systems, and limit access to those.
  • Boundary Protection (CSC 12). Go beyond firewalls to consider things like network monitoring, proxies and multifactor authentication.
  • Data Protection (CSC 13). Control access to sensitive information by maintaining an inventory of sensitive information.
    encrypting sensitive data and limiting access to authorized cloud and email providers.
  • Account Monitoring (CSC 16). Lock down user accounts across the organization to keep bad guys from using stolen credentials. Use of multifactor authentication also fits in this category.
  • Implement a Security Awareness and Training Program (CSC 17).

Download the full report here. Registration required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now