Verizon recently released the tenth annual edition of its Data Breach Investigations Report. Inside was a lot of information based on 40,000 analyzed incidents and nearly 2,000 confirmed data breaches. While there are a lot of significant statistics and a plethora of good cybersecurity related information, there are a few important takeaways for any organization to consider, including that smaller organizations are also victims of data breaches and training might just be the most important tool in the cybersecurity toolbox. The top ten are listed below.
The 2017 report determined:
-61% of attacks were against businesses with fewer than 1,000 employees.
-75% of the attacks were perpetrated by outsiders, but 25% were from the inside.
-81% of the breaches leveraged stolen and/or weak passwords.
-24% were against financial organizations.
-73% were financially motivated attacks.
-95% of phishing attacks that led to a breach were followed by some type of software installation. Of those, -66% were via malicious email attachments.
-51% of the attacks involved malware.
-1 in 14 users were convinced via trickery to click on attachments or links in email messages. Unfortunately, -25% of them did it more than once.
-60% of the breaches involved some type of physical security breach. This category includes, but is not limited to insiders stealing data, snooping, or someone inside providing data to a competitor.
-88% of the intrusions fell into one of nine categories (in no particular order): Denial of Service (DOS), web application attacks, Point of Sale (POS), payment card skimming, physical theft and loss, crimeware such as ransomware, cyber-espionage, privilege misuse, and miscellaneous errors. This last category is defined as involving such items as publishing errors, improper disposal of information, and misconfiguration, as well as mailing paper documents to the wrong recipient; which was the most common.
While there are numerous areas on which to focus as a result of the findings in this report, there are a couple that should be high priority:
1. Train employees on the nine categories that see the highest number of intrusions.
2. Ensure that everyone who opens email knows how to identify potentially malicious attachments and links. Then provide continual awareness training to keep on top of the most recent threats.
3. Have a solid policy on creating strong passwords, teach users how to create good ones, and require them to be changed regularly.
Training should not happen one time and then put aside for a year or more. People forget and get too busy to pay attention to tiny indicators. Phishers get more creative. Threats evolve. Training should continually evolve along with them.
© Copyright 2017 Stickley on Security