Tuesday was the day us security aficionados look forward to all year. It’s our Super Bowl, our New Year’s Eve, and our Thanksgiving Day feast all rolled into one. It is the day the always-irreverent 2015 Verizon Data Breach Investigations Report (DBIR) is released, and, boy, was it a good one.
Because we’re crazy about data security, we’ve taken the liberty of scouring the 69-page report for you, picking out the juicy nuggets you need to know about (at least those directly related to the human side of data protection…) and saving you the time of reading through the hefty document for yourself. Consider it our gift to you.
You’ll find our six key takeaways below.
1. “People” Remain the Biggest Security Threat (Good job!)
As it’s done previously, the DBIR grouped the year’s security attacks into a friendly hierarchal cluster. The top four security threats were found to be:
- Miscellaneous Errors, 29.4%
- Crimeware, 25.1%
- Insider Misuse, 20.6%
- Physical Theft/Loss, 15.3%
What’s the common denominator? People!
Whether it’s sending a confidential e-mail to the wrong person, getting infected, or simply losing their computer, people account for nearly 90% of all security incidents. Go ahead and give yourself a high five! No, not because you’re practically a walking liability, but because this is good
What this means is that while it may seem like security threats are always growing, always changing, and always lurking, this isn’t the case. The best way to protect your organization from threats is to give your employees the security and privacy awareness training they need to identify and avoid potential threats. The smarter they are, the safer your business information becomes.
2. You Also Keep Falling for Phishing…
Fashionable since the early 90s, phishing continues to evolve and continues to trick, especially those in the Communications, Legal and Customer Service arenas. According to the report, 23% of recipients open phishing messages and 11% click on attachments to those messages (c’mon!). Perhaps even scarier, 50% percent of recipients open e-mails and click on phishing links within the first hour of their being sent. This year, we did see a slight decline in users actually going to phishing sites and giving up passwords, so we’re learning there, but falling for everything else.
The goal of today’s more-evolved phishing efforts isn’t just to elicit sensitive information, but for attackers to establish a presence on user devices, set up camp, and to continue a stealthy existence living and playing in your network. Because of the increased danger, the report highlighted three things to help combat phishing.
- Better e-mail filtering before messages arrive in user inboxes
- Developing and executing an engaging and thorough security awareness program
- Improved detection and response capabilities
The best “detection and response” device you have is truly your own people. By educating them on phishing and social engineering you’ll train them to detect phishing attempts and to stop clicking on those links. This is important as the median time-to-click on phishing e-mail is just one minute and 22 seconds. Your team must immediately be able to tell when something looks phishy!
3. Breaches are Expensive
The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000. You could overpay a whole person for that amount.
4. Five Malware Events Occur Every Second
Let that lull you to sleep tonight.
5. Security Matters – Don’t Delay Patches
According to the DBIR, 99.9% of exploited vulnerabilities were compromised more than a year after the common vulnerabilities and exposures (CVEs) were published. The patch to prevent the breach already existed; people just hadn’t downloaded it yet. Oof.
If you work in an organization where you need to initiate system patches, don’t delay in doing so. And while you’re at it, make an effort to stay up-to-date on patches at home, as well.
Good habits help everyone, and they prevent security threats.
6. Web App Attacks
The most affected industries for web app attacks were Information, Financial Services, and Public. It’s worth noting that virtually every attack in this data set (98%) was opportunistic in nature, all aimed at easy marks, and that 95% of the incidents involved harvesting stolen credentials. This means you can make yourself less of a target by training your developers to build security protections into the process from the very start. Don’t walk alone at night, don’t swim on a full stomach, and do invest in security application development courses for your team.
One interesting tidbit that distinguished the Financial Services industry from the rest was that end-user devices were a factor in 82% of incidents, with nearly a tenth of them involving some human element (there you go again…) like phishing or social media. The pattern looked something like this:
Phish customer –> get credentials –> abuse web application –> empty bank/bitcoin account.
If you haven’t hopped onto the security awareness training bandwagon yet, you’re reading a different report.
The Final Verdict?
The 2015 DBIR reinforces things we already know: Pay attention to security basics. Download your patches. Implement a security awareness program in your organization. Make security a habit. And follow the essentials. They’ve only become even more important in today’s online environment.