Will we ever learn?
According to the year’s most anticipated cybersecurity investigative report, the answer to that questions seems to be leaning toward the negative.
The annual Verizon Data Breach Investigations Report has been released, and with it a fresh supply of nightmare fuel for all the InfoSec professionals out there. Once again, human misbehavior and missteps account for a major portion of what ails the cybersecurity community.
Now in its ninth year, the 2016 DBIR includes more than 100,000 incidents and analysis of 2,260 breaches across 82 countries. Bryan Sartin, Verizon Enterprise Solution’s executive director of global security services, summed up this year’s report quite nicely:
“You might say our findings boil down to one common theme — the human element,” Sartin says.
“Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”
Just the Stats, Ma’am
Let’s see some key statistics:
- In 93% of all cases, hackers compromised systems in minutes or less. Somewhat depressingly, organizations typically took weeks to discover a breach had even occurred.
- “Miscellaneous Errors,” such as sending a confidential email to the wrong person, were the cause of most security “incidents”, while “Web App Attacks” were the cause of most confirmed breaches. (The report defines an “incident” as a security event that potentially compromises the integrity, confidentiality, or availability of an information asset, while a breach means information was definitely disclosed).
- Thirty percent of phishing messages were opened—up from 23% in 2014
- Sixty-three percent of confirmed data breaches involve using weak, default, or stolen passwords
Learning at the Spot of the Foul
The Verizon report provides buckets of scary numbers such as these, all reasons to keep even the most battle-hardened InfoSec professional up at night. And they should. In an increasingly connected world, bad actors can get access to a seemingly unlimited amount of personal information with enough hard work.
But, as employee awareness training gurus (and generally optimists), we see reports like these as goldmines for opportunities to change employee behavior for the better. That is, instances where a troubling statistic or trend can be used to drive home the importance of specific security awareness topics with your employee base, ideally in real time, as the employee takes a potentially risky action (See our article on the potential of such “Just-in-Time” training).
So rather than bury your head under the pillow, how about taking some time to consider these five learning opportunities and how they can shape the way you help your employees change their behaviors related to protecting information?:
1. Using the “Oops”
As mentioned above, “Miscellaneous Errors” were the leading cause of security incidents. Just more than a quarter of these (26%) involved sending confidential information to the wrong person. Mistakenly publishing sensitive data and improper disposal were other common “oops” moments. The report itself mentions how training can help here, pointing out that an organization’s most common mistakes should inform how the learning content is built. In other words, letting an analysis of your unique risks inform your training content.
2. Fighting the Phish
Hackers want credentials; usernames and passwords made up 91% of the information stolen in phishing attacks. Why try to fight your way through firewalls and other technical safeguards when you can get the login information you need from an unsuspecting user? Additionally, (as mentioned above), 30% of phishing messages were opened—up from 23% in 2014. From a training perspective, this is a perfect opportunity to make sure your people know when not to click.
3. Passwords… Again
Sixty-three percent of confirmed data breaches involve using weak, default or stolen passwords. We can’t shout this one enough: use stronger passwords! “12345” and “password” are not going to cut it. Password best practices should be an integral part of a comprehensive security awareness program.
4. Secure that CMS
Web app attacks, in which a tool like a content management system was used to break in, were responsible for 40 percent of confirmed breaches. These attacks were responsible for the most breaches of the nine attack categories the Verizon report analyzed. The report found that most web app attacks were indiscriminate, taking advantage of a weak spot in a specific site’s architecture. The use of content management system plugins to deliver malware was especially popular. Makes the case for implementing secure application development education, doesn’t it?
5. Insider Insurance
“Insider and Privilege Misuse” was the second and fourth most common cause of security incidents and breaches, respectively. Outright malicious insider abuse was seen most often, and training will likely not help here. But, training can do a world of good with the non-malicious insider who may not have thought his or her actions all the way through. Training here can be especially effective if you develop a system to apply training at the spot of the foul, using an insider threat management tool.
One thing we were most definitely glad to see: the importance of security awareness training was highlighted early and relatively often. For instance, “training staff to spot warning signs” is one of seven “Quick Takeaways” in the 85-page report’s executive summary.
The report authors clearly see the light: all the technical safeguards in the world will not prevent a well-meaning employee from doing something he or she is not supposed to.
The Whole Picture
One of the many insightful things about the DBIR is the connections they draw between different methods of attack. How each feeds into others, allowing hackers progressively deeper and more damaging access to a given system.
The all-to-common phishing attack is a perfect example of this. A phishing attack is designed to alter a person’s behavior, which leads to the installation of malware through clicking a link or opening an attachment. That malware scoops up login credentials, which are then used to access normally secure databases, allowing access to all sorts of personal information. The hacker (or hackers) pull more email addresses from the comprised database, introducing more potential victims to phishing attacks. It’s all connected.
The same should be true of awareness programs. That’s why using a simulated phishing program alone, for example, is not enough. Such an approach targets only one vector of attack, and doesn’t do the work of helping employees see the multi-layered nature of threats.
Comprehensive security education is the key, here. We don’t just mean training on multiple potential threats (though this is important). We’re talking about awareness programs that include the capacity to identify new threats through ongoing risk assessments and deploy targeted training. Such programs must also cement key learning concepts with appropriate training reinforcement resources, such as animations and games.
An awareness initiative that is deep and wide is the best defense against some of the scariest cyber threats that show up in reports like the DBIR. Some lessons may take a while to learn, but that does not make them any less important.
Want to see how MediaPro can help you address the human element? Request a demo of our Adaptive Awareness Framework for developing and maintaining security awareness programs.