The annual Data Breach Investigations Report from Verizon usually provides cybersecurity professionals with some cold comfort. This year’s report covering 53,000 security incidents, including 2,216 confirmed data breaches, is no exception. Highlights of the report include the fact that almost three-quarters (73 percent) of cyberattacks were perpetrated by outsiders. Members of organized criminal groups were behind half of all breaches, with nation-state or state-affiliated actors accounting for 12 percent. The rest (28 percent) involved insiders.
Not surprisingly, financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated. Email (96 percent) continues to be the primary entry point for these attacks. Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, according to the report.
The good news is the report finds 78 percent of people don’t click on a single phishing campaign all year. At the same time, however, 4 percent of people will click on any given phishing campaign. After that, it’s only a matter of time before malware begins to move laterally through the organization. Gabe Bassett, a senior information security data scientist at Verizon, said most of the ransomware attacks these days involve threats to destroy data rather than steal it.
According to Verizon, 76 percent of the breaches were financially motivated and that some form of ransomware now accounts for 39 percent of malware infestations. Human errors—such as failing to shred confidential information, sending an email to the wrong person or misconfiguring web servers—accounted for 17 percent of breaches.
Bassett said cybersecurity professionals can be proud of the fact that, outside of social engineering attacks that bypass cybersecurity defenses, it appears the security processes and technologies put in place are proving their value. The challenge is that now there is so much malware being distributed by social engineering attacks that most organizations still need to assume they’ve been compromised. That new reality accounts for why there is so much focus these days on threat detection.
Despite providing better cybersecurity, however, there’s still a significant amount of IT security fatigue among end users. Many of them still routinely disregard policies and best practices, resulting in breaches that no amount of cybersecurity technology is going to prevent. At the same time, senior business leaders still often question the value of cybersecurity investments that are hard to quantify on a return on investment (ROI) basis. Because of those two issues it’s easy to see how being a cybersecurity professional is still often a thankless endeavor. Few people appreciate the number of attacks that were prevented. All they typically remember are the breaches, which, thanks to a lack of understanding of how IT works, often means IT department takes the blame.
The good news, is cybersecurity professionals and their IT colleagues are getting better at containing and cleaning up after malware gets discovered, Bassett said. The challenge now is continually educating end users on how not to make a mess in the first place.