Something stuck out about this year’s much-anticipated Verizon Data Breach Investigations Report, or DBIR.
It wasn’t the updated numbers showing how bad we still are choosing secure passwords and falling for phishing emails (more on that in a second). It wasn’t the meteoric rise of ransomware, which saw a 50% increase in usage since last year’s report.
It was the focus on hope the DBIR authors included in their introduction. Hope that the more information is publicly available about cyberthreats and data breaches, the better organizations will be prepared for them. As the authors write (emphasis added):
Our hope is that while this report will not be able to definitively answer the macro-level question of ‘are we getting better?’ you the readers, can leverage the combined efforts (thank you again data contributors!).
Use the results of this study as a platform to improve your organization’s awareness of tactics used by the adversary, to understand what threats are most relevant to you and your industry, and as a tool to evangelize and garner support for your information security initiatives.
The Risk Between the Keyboard and Chair
Hope amid a sea of employee-related threats is likely hard to see for most. As with previous editions, the 10th annual DBIR found the human element as a common factor across many of the 42,068 incidents and 1,935 breaches the report authors analyzed. As Bryan Sartin, the executive director of Global Security Services at Verizon Enterprise Solutions, put it:
Cyber-attacks targeting the human factor are still a major issue. Cybercriminals concentrate on four key drivers of human behavior to encourage individuals to disclose information: eagerness, distraction, curiosity, and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.
1. Phished and Phished Again
Phishing once again proved a popular method for hackers to gain access to sensitive data. The report found that 66% of malware was installed via a malicious email. Overall, 43% of data breaches involved phishing, with cyber-espionage and financially motivated attacks standing out as common phishing attack goals.
We’ve made the case for comprehensive security awareness programs that include phishing simulation before, and this data supports the call. From a training perspective, this is a perfect opportunity to make sure your people know when not to click. Check out this article of ours for tips on getting the most out of simulated phishing campaigns.
2. Rise of Ransomware
It may not surprise you to hear that ransomware was the poster child for cyberthreats last year. Ransomware moved from the 22nd most common type of malware in the 2014 report to the fifth most common in the 2017 edition.
The most popular way for ransomware to get in? Humans. Social engineering exploits, such as phishing emails, were found in 21% of ransomware incidents, up from 8% in last year’s DBIR.
If employees let ransomware in, though, that also means they can be empowered to keep it out. Here we’re talking about not just static security awareness training, but that which can be updated over time to adapt to emerging threats, such as ransomware. This will allow employees to be ready to identify all kinds of attacks, even if they’re novel. There’s no telling what the next malware-du-jour will be.
3. Healthcare Under Threat
Fifteen percent of data breaches impacted the healthcare industry, second only to the financial sector.
The DBIR data shows a twofold problem in the healthcare industry. One: healthcare was the only sector where employees are the predominant threat actor in breaches. Privilege misuse, miscellaneous errors, and physical theft or loss were the cause of 80% of breaches in healthcare. Two: ransomware is a big problem for hospitals and medical centers. In 2016, ransomware accounted for 72% of malware incidents in the healthcare industry.
For us, these statistics point to a need for training for healthcare employees that goes beyond HIPAA compliance. HIPAA training is required for a good reason but is not enough to equip employees with the tools to recognize and fend off cyberthreats.
4. Passwords Yet Again
The report found that 80% of hacking-related breaches leveraged either stolen and/or weak passwords. That’s an increase from 63% in last year’s DBIR.
Combating the sort of security fatigue that can lead to password laziness can be tough, especially when it seems to repeat itself. But, another benefit of a multi-faceted and comprehensive security awareness program is the focus on training reinforcement: content like videos, games, even posters for around the office to remind employees of best practices they’ve learned during initial training sessions.
If password strength is a repeated problem, then repeated (but varied) training content focusing on this risk is what’s called for.
5. Consider the Pretext
As the DBIR defines it, “pretexting is a form of social engineering focused on creating a scenario, or pretext, to influence your target.” A common example is cybercriminals who spoof the email address of a company’s CEO and send wire transfer requests to the finance department. Pretty easy money, if the finance folks are fooled. Verizon’s researchers found that 88% of financial pretexting incidents are email-based.
The connection to security awareness here is an obvious one, given that pretexting cybercriminals have once again set their sights on the employee. But a security awareness program is only as good as the lessons its teaches. Quality of content is key, here, but so is making sure you’re teaching the right things. That said, we also feel this is an opportunity to make the case for a risk-based approach to employee awareness.
Some organizations, for example, will be more vulnerable to pretexting attacks than others. Including content on this threat, or any other, should depend on how much your employees already know about it. It’s tools like phishing simulators and employee knowledge assessments that allow you to precisely identify the exact nature of your human risks. Teaching employees things they already know is at best a waste of time, while not focusing on the threats your organization is weakest against can be dangerous.
A Cause for Hope
Though hope might seem an odd concept to begin a massive report on cyberthreats, we also see a cause for hope buried in the 87-page DBIR.
As security awareness experts, we see human-based cyber risks as a curse and a blessing. A curse, sure, because time and again we see how one errant click or misspent email can have disastrous consequences.
But a blessing? Yes! Because humans are part of the problem, they must also be part of the solution. All you’ve got to do is start building a comprehensive, risk-based security awareness program to develop cybersecurity resilience in your organization.
We know comprehensive security awareness programs. They’ve been our business for years. Contact us to see how we can help you bring your awareness initiative to the next level.