The Annual, Breathless ‘What the DBIR Means for You’ Blog Post
If you’re in the movie industry, you write about the Oscars.
If you’re in theater, it’s the Tonys.
In print, the Pulitzer Prize.
And in cybersecurity, we have the DBIR.
Once a year for the last 13 years, Verizon has released its Data Breach Investigations Report (DBIR).
Every year, bloggers at cybersecurity companies like mine dissect what it means for their buyers. If we’re honest, one of the points of writing about the DBIR in this way is to point to the inevitable conclusion: you should buy the products or services of __________ (fill in your company here).
Cynicism and snark aside, though, the DBIR always has interesting insights into that mystifying beast we call the human mind, observed in its natural state: at work, navigating our complicated digital world.
I’ll call out a few of these insights, but you know what you should really do?
Don’t take my word about what’s interesting!
Go dive into the DBIR and read it yourself. It’s quite well written with a lot of quirky humor.
As you skim, think about what’s here that you could put to use. What insight could you use to modify and deepen how you approach your job?
I tend to think about the information in the DBIR in terms of how I educate employees about changing their behavior relative to the threat environment, but there may be something else there that draws you.
If you’re interested in a quick look at some of the interesting stuff you might apply to your security training and awareness program, here are a few jewels I found (with page references):
Phishing still leads the way when it comes to breaches (page 13). I don’t know about you, but I’m so damn bored with phishing that I can hardly see straight. But until we finally tune either our tech or our people to filter out phishing attacks, we must keep working at it. Here’s encouragement to keep phishing front and center as a training topic.
Human error is growing as a factor in breaches. Paradoxically, this may be good news. Not good that people keep making mistakes, but good that those mistakes are getting reported. We can’t fix our mistakes unless we understand what they are, so this is a trend in the right direction. Keep focusing on incident reporting! See page 14.
There’s a dotted line from social factors to the hacking section (starts page 19) you should pay attention to. Most hacking starts with stolen credentials, and those are stolen from people who didn’t protect them sufficiently. Using and protecting strong credentials is just good hygiene and you can’t talk about it enough. (God knows I’ve tried when it comes to password managers!)
If you only want to read one page of the DBIR, read page 24. It will convince you it’s all about employees. Well, employees clicking on phishing. And look, it still really is all about email. Despite what you’ve heard, the risks from SMS and phone phishing—I’m sorry, smishing and vishing—are still really low.
As for those of you who are truly only interested in your industry, the folks at Verizon understand (see their comment on page 43). They spell out the details in each industry section so you don’t have to do extra work.
Same goes for business size.
Same goes for region.
I’ll say it again: the DBIR is incredibly well-researched and data rich. If you’re relying only on recap articles to distill basically the same points, you’re doing yourself a disservice. Go read the thing!
And Now My Craven Duty...
I’d be neglecting my duty if I didn’t draw a straight line from the DBIR to why you should use MediaPRO to help you run your training and awareness program. Here goes:
This year’s DBIR shows the following:
- Cybercriminals attack big companies
- Cybercriminals attack small companies
- They mostly want money
- They also want personal data
- They come after employees
MediaPRO educates employees. Buy MediaPRO.
There you go. That’s it, in 32 words. If I really worked at it, I could probably make it a haiku.