Release for Spring 2015: The Annual Verizon Data Breach Investigations Report
It’s that time of year again. Spring is in the air, flowers are in bloom, and Verizon’s annual Data Breach Investigations Report (DBIR) has been released. As in years past, this year’s numbers shed some light into, not only who is at risk, but also where the risk lies.
The report focuses its data collection on key types of data breaches: point-of-sale intrusions, payment card skimmers, crimeware, web app attack, denial-of-service attacks, physical theft/loss, insider/privilege misuse, miscellaneous errors (sending emails to the wrong recipient), and cyber-espionage. Due to the level of detail contained in the report, it is not a quick read, but for anyone interested in getting a better handle on their company’s security risks and vulnerabilities, it is a must read.
It should come as no surprise that the DBIR reveals that employees are still the number one cause of all security breaches. Errors made by internal staff are the main culprit of these breaches. These errors were largely caused by sensitive information reaching incorrect recipients, publishing nonpublic data to public web servers, and insecure disposal of personal and medical data.
What may surprise companies is that 14% of breaches are caused by insiders abusing their privileges and another 12% are caused by the IT department itself. Verizon identified financial gain as the primary motivator as to why insiders abuse the privileges given.
Phishing still accounts for a large percentage (20%) of all attacks. DBIR revealed that 23% of recipients now open phishing messages and 11% click on attachments. Nearly 50% of the people open and click on phishing links within the first hour. A company’s communications, legal, and customer service department employees were far more likely to open the email, than other departments. Whether that statistic is related to the specific job requirements of those departments is unknown. In order to prevent a successful phishing attempt, Verizon recommends that companies implement better e-mail filtering before messages arrive in user in-boxes, develop and execute an engaging and thorough security awareness program, and improve detection and response capabilities.
Think your company is immune to this type of attack? Think again. The report reveals that last year alone there were over 79,000 security incidents and over 2,000 confirmed data breaches. Almost every industry was affected, with the public sector, information, and financial services industries holding the top spots. The report also revealed that network security software is only 24% effective in fighting cybercrime. Despite this low percentage, Michael Hickens at Forbes reported last week that companies still spend two-thirds of their security budgets defending their porous perimeters.
In light of this report, companies should re-evaluate their current security measures to ensure all are up-to-date with current trends. As always companies should also continue to train employees to identify and report suspicious emails or computer activity.