Verizon’s 2018 Data Breach Investigations Report (DBIR) is out, and companies of all sizes and industries need to take note of the results.
In a summary of its findings, Verizon noted that 73 percent of the breaches were perpetrated by outsiders, 50 percent were conducted by organized criminal groups, 28 percent involved insiders, 12 percent involved nation-state or state affiliated actors, 2 percent involved partners, and another 2 percent involved multiple partners.
Yet human error was responsible for one in five breaches. Examples included misconfiguring web servers, sending email to the wrong person and failing to shred confidential information. Humans are the weak link, and companies are about three times more likely to be breached by humans falling for social attacks than by security vulnerabilities.
Of the cases involving the weak human factor, 96 percent started with email as the main entry point. Verizon noted, “You have 16 minutes until the first click on a phishing campaign. The first report from a savvy-user will arrive after 28 minutes.”
Pretexting is on the rise when being social engineered, having increased over five times since the 2017 DBIR. The two most prevalent scenarios involved pretexting that targeted employees in human resources or those who work in finance. Often finance employees get email impersonating the CEO or another executive, while W-2 information is the most coveted data to pry from HR.
The most common types of breaches
The largest percent of breaches, or 48 percent, involved hacking, 30 percent included malware, 17 percent were social attacks, 17 percent of breaches had errors as causal events, 12 percent involved privilege misuse, and 11 percent involved physical action.
When it comes to malware being behind a breach, ransomware is the most common. It was found in 39 percent of malware-related breaches and impacted business-critical systems, as well as desktops. Put another way, cyber thugs can put in less work yet obtain bigger payouts by demanding higher ransoms after encrypting databases or file servers.
The 11th edition of Verizon’s DBIR is based on analysis of 53,308 real-world security incidents and 2,216 confirmed data breaches. Over 700 of the security incidents involved ransomware; it’s doubled since the 10th DBIR edition.
“Ransomware remains a significant threat for companies of all sizes,” said Bryan Sartin, Verizon’s executive director of security professional services. “It is now the most prevalent form of malware, and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom – the cyber criminal is the only winner here! As an industry, we have to help our customers take a more proactive approach to their security. Helping them to understand the threats they face is the first step to putting in place solutions to protect themselves.”
Companies most affected by breaches
As for who is getting hammered, 58 percent of the victims were small businesses, 24 percent of breaches affected healthcare organizations, 15 percent involved food and accommodations services, and 14 percent were breaches of public sector entities.
In the education industry, 11 percent of attacks are motived by “fun” instead of financial gain. Yet 20 percent of attacks are aimed at highly sensitive research with espionage as the motive.
Healthcare is the only industry where insider threats are higher than outside threats with human error noted as “a major contributor to healthcare risks.”
In the public sector, 43 percent of breaches are motivated by cyber espionage.
Detecting breaches and protecting your systems
In terms of the time it took to discover a breach, 87 percent of compromises “took minutes or less,” but 68 percent took months or more before they were discovered.
Verizon encourages people to be proactive to keep organizations from becoming victims: patch ASAP, encrypt sensitive data, use two-factor authentication, check logs, train staff to identity warning signs, keep data access on a “need to know” basis, and remember physical security.