En Garde! 5 Key Insights from the 2018 Verizon Data Breach Report (DBIR)

Old medieval door, detail of an old door of a castle

Last year when we shared our takeaways from Verizon Enterprises’ annual Data Breach Investigations Report (DBIR), we called attention to a theme expertly weaved throughout the pages of less-than-desirable data: hope.

It was Verizon’s hope that as more information becomes publicly available around cyberthreats and data breaches, the more prepared organizations would become. A large part of those preparations, in addition to shoring up security, pertains to the biggest risk element: the people.

Employees are essentially the gatekeepers to our companies’ data; thus, they must be treated as such. Just as you wouldn’t send your sixteenth-century guard to the wall without armor, weaponry, and a little training for combat, you shouldn’t send your employees off to defend the frontline empty-handed.

Hope 2.0

It’s safe to say that the theme of hope lives on in the 2018 report, now with the glimmer of a silver lining among the 65 pages of graphs, figures, and information that construct every CIO’s nightmares.

As the report authors write, “At first glance, it is possible that one could view this report as describing an information security dystopia since it is made up of incidents where the bad guys won, but we don’t think that is the correct way to look at it. Rather than simply seeing the DBIR as a litany of nefarious events that have been successfully perpetrated against others and therefore, may happen to you, think of it more as a recipe for success. If you want your security program to prosper and mature, defend against the threats exposed in these pages.”

Although the total number of incidents (more than 53,000) and confirmed data breaches (2,216) rose from last year (42,068 and 1,935, respectively) the report authors remain positive, believing that this data will enlighten those in power (read: everyone) to defend the gates with focus, and an en garde stance.

With that said, here are the five key insights we gleaned from this year’s report:

1. The Phish is Real

As reported each year in the past, phishing remains a popular tactic to gain entry and pillage sensitive data. Verizon reports that phishing and pretexting represent 98% of social incidents and 93% of breaches, with email still the most common vector, at a staggering 96% (up from 88% last year.) While the authors note the average percentage of people that fell for a phish may be low (4%), they reiterate that “The vampire only needs one person to let them in,” AKA, “You’re only as strong as your weakest link.”

Though there’s a fair number of phishing emails that are objectively easier to spot, cybercriminals continue to advance their tactics to attain what they’re after. Pretexting, or the creation of a false narrative to obtain information or influence behavior, as defined in the DBIR, was a tactic used in more than 14% of phishing-related emails.

The cause for alarm with pretexting is the ability to relatively quickly extract data, or in most cases, money from a target. The two business areas most targeted with a pretexting attack are finance and human resources. Often executives are impersonated with the bad guys requesting phony wire transfers or the payment of fake invoices. The DBIR refers to pretexting as “Very lucrative, with numerous six-figure losses as a part of the scam.”

While technical tools are encouraged, the best way to thwart attackers from storming the castle, again, comes down to the preparation of your first line of defense–the employees. Without knowing what phishing and pretexting emails look like, or the minute details to look for in attacks like these, there’s a very large (and potentially very costly) gap in your security coverage.

It’s also recommended within the DBIR that training be extended beyond employees that show risky clicking behavior, as there is much larger group (around 83%) that did not report a phishing campaign. This lends truth to that old adage, “If you’re not a part of the solution, you’re a part of the problem!

2. Malware Brings Misery

RansomwareGraph from 2018 DBIR showing ransomware within malware incidents on the rise since 2013 climbed from the 22nd position in 2014, to the 5th most-common type of malware in 2017. This year, ransomware now sits on the throne as the most prevalent variety of malicious code.

One of the most distressing facts about ransomware is that it can be deployed across numerous devices within an organization to maximize the impact. And, due to the nature of the “upfront payment” to release the locked-down systems, cybercriminals don’t need to rely as heavily on re-selling stolen data.

Regarding delivery, most malware attackers strike through email (an astonishing 92.4%), followed by web (6.3%), and other (1.3%.) The report authors warn readers about JavaScript, Visual Basic Script, MS Office and PDF file types, which have been flagged as potential first-stage malware hiding spots.

Once first-stage malware has successfully implanted itself, it can invite in second-stage co-conspirators via other routes. This can make tracking down and kicking out these unwanted guests exceptionally difficult. The good news, because such high percentage of malware bugs descend through email, is that a comprehensive awareness program can help shape a more risk-aware, and thus risk-averse, employee culture.

3. Mobile Matters  

As stated in the 2013 DBIR, “With respect to mobile devices, obviously mobile malware is a legitimate concern. Nevertheless, data breaches involving mobile devices in the breach event chain are still uncommon in the types of cases Verizon and our DBIR partners investigate.”

And while this year’s report says the above statement remains (arguably) true today, the data does show evidence that actors are expanding from traditional methods, and have their eyes set on mobile.

One thing remains clear: with the rise of lax open-air offices, the expansion of remote employee programs, and a tech-dependent generation beginning to take their seats in leadership positions comes a risk to an organization’s security that should not be ignored.

The DBIR warns, “As mobile devices often provide privileged access to the enterprise environment and hold two-factor authentication credentials, these classes of malware and device-based attacks can result in more damage than adware or click fraud. The potential for these infections does exist, and a common vector is the use of phishing/SMiShing [phishing via text messages] and other social attacks that entice the mobile user to download applications outside of official platform marketplaces.”


4. Hazards in Healthcare Continue

As reported last year, the healthcare industry is especially vulnerable to attack. Ransomware, phishing, and privilege misuse continue to be pain points for the field, while miscellaneous errors and crimeware have begun to climb the ladder for the cause of incidents and breaches.

This year, the DBIR lists 750 incidents and 536 confirmed data disclosures within the segment. Of the data compromised, 79% of it was medical information, 37% personal, and 4% payment.

Misdelivery, or sending something to one person that was intended for another, was the source of 62% of the aforementioned errors. This was followed by misplaced assets (computers, tablets, and even paper documents), misconfigurations, publishing errors, and disposal errors.

In the survey that underpinned our 2017 State of Privacy and Security Awareness report, we found that 78% of healthcare employees showed at least some lack of preparedness handling common privacy and security threat scenarios that were presented. Additionally, 24% of healthcare employees had trouble identifying common signs of malware, compared to the respondents in our general population survey (12%).

When it comes to rectifying these issues, the authors of the DBIR recommend a three-pronged approach:

  1. Encrypt devices. Many devices that were lost or stolen were unencrypted, which continues to feed the confirmed-breach dataset.
  2. Educate staff on data handling procedures. 6% of internal actor motives were labeled “for-fun, or curiosity.” Through staff education on which data is accessed and why, along with the proper data storage and disposal methods, the risk of an incident drops.
  3. Prepare and prevent through training. Because the data show that most common vectors of malware are from email and malicious websites, an awareness program focusing on these areas can assist employees in properly identifying, reporting, and defending against such attacks.

5. Who, What, Where, When, and Why?

We all learned the lesson of the 5 W’s back in grade school, and it’s likely the first group of questions teams have once they’ve discovered an attack on their systems—in addition to how.

Interestingly, of actors in the incidents and breaches within the DBIR were external, leaving 20% as internal actors. As documented in figures six and seven from the DBIR, found below, companies must protect themselves against organized crime groups, unaffiliated actors, state-affiliated actors, and other external groups, while also keeping a watchful eye on system admins and employees (end-users), among others, internally.

Whether taken by an internal or external actor, the top data varieties compromised were personal, including W2 information, such as social security numbers, addresses, and salary information (730), payment (563), and medical (505). The report goes on to list additional stolen data, to include login credentials, internal documents, and trade secrets.

While difficult to decipher who could be a potential threat, we recommend providing comprehensive role-based training on data retention and access. This empowers employees to be more aware of data security through education around what data they should and should not be handling, in addition to proper storage and disposal methods—digital or not.

Graph from 2018 DBIR of external and internal actor varieties in breaches.

A Cause for Action

In last year’s post, we embraced the DBIR’s theme of hope, and even referred to the human element as a blessing. Why? Because humans were (and are) a part of the problem, therefore they must also be a part of the solution.

While that certainly remains true, it’s not solely hope that will carry us into a more aware, and protected place, it’s action. Being proactive, rather than reactive, when it comes to your organization’s cybersecurity is not nearly as daunting as it’s made out to be. As found sprinkled throughout the DBIR, a comprehensive, risk-based security awareness program is an essential (and monumental) first step in fortifying your walls and securing your gates.

At MediaPRO, we believe in the power of arming your gatekeepers with the best training and armor available. Our comprehensive security awareness programs have been proven effective time, and time again, by industry leaders. Contact us today to take the first step in setting your team up for success.

Share this Post