The recently released 2017 Data Breach Investigations Report (DBIR) is Verizon’s tenth look at real-world security events that are impacting organizations around the globe.* We again contributed to this report, and looked forward to seeing what this year’s study would reveal about the state of data security.
The results are in…and following are some of the points we found particularly interesting:
Social Engineering Factored Into 43% of All Breaches
According to the “Attack the Humans!” section of the DBIR, 1,600+ incidents and 800+ breaches featured “social actions,” and 43% of all breaches included in the study’s dataset had a social engineering component. Here’s are some other key stats related to social attacks:
- Phishing accounted for 93% of social attacks.
- Phishing (emails that use a link or attachment as the “bait”) and pretexting (creating an imposter persona and dialogue to fool a victim) represented nearly 98% of all incidents and breaches that featured social engineering.
- Email was the communication channel used in 88% of financial pretexting attacks. (The next most common method was vishing phone calls, which accounted for nearly 10% of these types of social-driven attacks.)
- 28% of phishing breaches were targeted.
A Phishing Email Is Often Much More Than a Phishing Email
As was noted in the report, phishing is often the first in a chain reaction of events; the phishing email merely creates the initial foothold, with subsequent actions giving attackers the access they are ultimately seeking.
As was also shown in last year’s report, phishing emails and malware are a potent and pervasive one-two punch. This year’s study indicated that a whopping 95% of phishing attacks that lead to a breach were followed by an installation of malware and that 66% of malware was installed via infected email attachments.
Repeat Offenders Compound Risk
If you think that falling for a phishing attack is the best way for your end users to learn not to fall for another one…think again. Getting burned once is no guarantee that a user won’t get tricked again (a big reason we advocate for security awareness training programs that think beyond simulated attacks).
According to data across multiple DBIR contributors, 7.3% of users were fooled by a link or an attachment in a phishing email. Within that group, the report indicates that “in a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time. 3% of all unique users clicked more than twice, and finally less than 1% clicked more than three times.”
Risky End-User Behaviors Are Affecting Most Industries
Though the DBIR notes that “the majority of industries are not significantly different with regard to the percentage of users that click on phishing links or attachments,” end-user risk definitely seems to rear its head in specific ways for specific industries. For those industries targeted by cyber-espionage, the DBIR data indicates there is a strong link between phishing and these types of attacks, with trade secrets five times more likely to be targeted than personal data.
Learn more about how customers in a variety of industries are successfully using our
Continuous Training Methodology to manage end-user risk.
Notable industry stats include the following:
- Tallying more than 50% of the total, Public Administration and Manufacturing were most prone to social breaches like phishing (not including botnet-driven attacks).
- 94% of breaches within the Manufacturing sector were related to cyber-espionage, and 90% of the data compromised in these breaches was classified as “secret” data (e.g., R&D information). Many breaches in this sector begin with a phishing attack at the employee level.
- In the Retail industry, the most common method of web application compromise was the use of credentials that were stolen from customers during phishing attacks.
- Errors, theft, and loss continue to plague the Healthcare industry, with nearly 30% of all breaches in this space linked to misdelivery, improper disposal, and lost assets.
- Cyber-espionage and human errors were prevalent patterns in the Education industry, and social components factored into the majority of attacks in the space, which saw a lot of “combination attacks” (e.g., social + hacking, social + malware, and social + hacking + malware).
Security Awareness Training Is Recommended
Like many other studies, the DBIR makes reference to the need for better end-user understanding of and participation in breach prevention. From knowledge of policies to implementation of cybersecurity best practices, the study offered several practical pieces of advice to consider in addition to technical safeguards:
Train employees and students on security awareness, and encourage/reward them for reporting suspicious activity such as potential phishing or pretexting attacks.
Pay attention to what you are doing. Many of the problems in Healthcare are errors that could have been prevented.
Train your employees with regard to phishing, and provide them with a quick and easy way to report suspicious emails.
Have a process for approving payments that includes some form of communication other than email. Train the employees who can pull the trigger on money transfers that they will never ever be asked over email to transfer funds outside of the documented approval policy.
Reporting is key to limiting the effectiveness of phishing that makes it past your email filters.
We leave you with this one last quote from the DBIR that is similar to security awareness and training advice we’ve offered in the past:
You’re never going to completely stop phishing emails getting through and being clicked, but if you have a good process for detecting and handling them, they’re less likely to impact your organization.
* For reference, Verizon makes a clear distinction between a security incident and a security breach. An incident is “a security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is “an incident that results in the confirmed disclosure — not just the potential exposure — of data to an unauthorized party.”