The use of zero-day exploits and advanced persistent threats to hack into organisations make for great news headlines. However the reality is much more mundane and low-tech.
Cybercriminals are continuing to exploit human nature as they rely on familiar attack patterns, such as phishing and malware, Verizon’s 2016 Data Breach Investigations Report found.
PLENTY MORE PHISH IN THE SEA
Phishing is a form of social engineering in which the victim receives a message, usually an e-mail, purporting to be legitimate.It tricks the recipient into revealing usernames, passwords or financial details. It may also include links or documents containing malware.
Alarmingly, the report found 30% of phishing messages were opened, up from 23% last year. Around 13% of those went on to open the malicious attachment or click on the link.
Previously used mainly in cyber-espionage, phishing has become a popular attack vector due to the quick time to compromise and ability to target individuals and organisations.
Recommended controls to protect against phishing include e-mail filtering, employee awareness training and protecting the network from compromised devices with network segmentation and strong authentication to access more secure areas.
In addition to phishing, human error is also behind many other security incidents. These include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets, such as laptops and smartphones. Around one-quarter of these miscellaneous errors involve people mistakenly sending sensitive information to the wrong person.
“Our findings boil down to one common theme — the human element,” said Bryan Sartin, executive director of global security services, Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection, we continue to see many of the same errors we have known about for more than a decade.”
The 2016 report reiterates the need for the basics. Organisations are advised to patch known software vulnerabilities promptly. They are advised to inform themselves about common attacks within their industry and train staff accordingly. Moreover, knowing what data their organisation holds and its value is critical to protecting it. Two-factor authentication and encryption are just two recommended methods for protecting sensitive data.
NUMBER OF BREACHES PER THREAT CATEGORY
Source: Verizon 2016 Data Breach Investigations Report