Verizon Enterprises’ 2019 Data Breach Investigations Report (DBIR) can seem imposing to get through.
The 78-page report, based on 41,686 cyber incidents, contains enough charts, graphs and numbers to make even the most number-hungry nerd blush. The report is a treasure-trove of data just begging InfoSec professionals of all types to pore over and analyze with the hope of applying this knowledge to their own efforts.
Fortunately, articles summarizing the DBIR and calling out key points (coincidentally, sometimes the very ones Verizon itself calls in its own executive summary of the report) hit the web not too long after the report gets released.
Here’s another, this one offering four pieces of advice for security awareness training managers based on the findings of the DBIR.
Educate the Execs
C-level executives were nine times more likely this year than in years past to be the target of breaches stemming from social engineering. This means the bad guys know executives and other head honchos with “chief” somewhere in their title provide a direct path to a company’s sensitive data.
This means security awareness managers cannot exempt executives from training. Since hackers target higher-ups with social engineering attacks, these folks need as much knowledge as the average employee, if not more. Be prepared to present training that speaks to them in their language: risk.
But don’t stop at social engineering! Executives need to know about the variety of cyberthreats facing employees, from knowing sensitive information when they see it to understanding the risks of working remotely.
Turn Employees into Phish Fighters
I wonder if the DBIR authors ever have trouble thinking up new ways to talk about phishing?
This year phishing emails once again were the leading way for malware to enter networks, with the average company reporting that 94% of detected malware came in via email. Thirty-two percent of confirmed breaches started with phishing, again the most common tactic. The DBIR found that employee click-through rates on phishing emails have steadily decreased over the years, but this is no reason to be less vigilant about this most popular of cyberattack methods.
If anti-phishing training, ideally paired with a phishing simulator, is not part of your awareness initiative, it should be. If you have training content about phishing emails in place, the sheer persistence of the threat may make you think “What else can I do?”
Short answer: get creative. Try running a company-wide “catch the phish” competition to encourage reporting actual phishing emails or build in a “phish of the month” presentation to regular company meetings. We’ve got more ideas on how to use real phishing emails to educate here.
Connect the Dots on Credential Theft
The DBIR researchers noted an increase in hacks on cloud-based email servers, with 29% of breaches resulting from stolen credentials being used to access these and other cloud-based tools. Credential access to email accounts gives the bad guys a variety of methods to inflict further damage, from sending out phishing emails from the compromised account to inserting themselves into email conversations concerning payment or invoices and shutting out the victimized employee.
For awareness training purposes, scenarios like those described in the DBIR are perfect examples to show employees what’s at stake.
Make it easy for employees to see themselves in these situations and build lessons on keeping strong credentials in the first place, using either two-factor authentication or password managers, and staying wary of social engineering attempts that seek login information. This is also an opportunity to call out what cloud storage policies your company may have and differentiate between storing personal information on cloud storage and using cloud tools for work information.
Know Your Audience
One of the most useful parts of the DBIR is the detail the authors put into analyzing threat trends by industry. They’re careful to say that this data shouldn’t be used to judge which industry is “more secure,” but the data still provides insight into what threats a given sector should pay closer attention to.
The healthcare field stands out, for example, due to the majority of data breaches attributable to staff members making mistakes (confidential information sent to the wrong recipient, for example). The finance sector most struggled with stolen credentials, with a quarter of breaches attributable to this attack vector.
The lesson for security awareness managers? Know your audience. Employees from any industry will benefit from core lessons on security best practices, but the DBIR and other research show some threats are more prevalent in certain industries than others. This theme of knowing what content best fits your employees should be extended to specific job roles, too. The more relevant training is to your employees’ experiences, they more likely it is to stick.
The Last Word
We’re more than happy to leave the last word of a DBIR summary article to the authors themselves because of all the work that goes into the report. This quote from the report’s executive summary sums up our thoughts well:
“The most important defense is knowledge. By gaining perspective, insight and understanding of the threats they face, organizations can take crucial steps to mitigate them.”
We couldn’t agree more. When it comes to defending your organization, a little awareness is a powerful thing.
Want to learn more about empowering your employees through behavior-changing awareness training? Reach out to one of our experts to see how MediaPRO can help you level up your awareness initiative.