Last year around this time we examined the results of Verizon’s annual Data Breach Investigations Report (DBIR). As in year’s past, Verizon analyzed the data it received from companies across the country about security incidents and data breaches the companies experienced. In total, Verizon examined over 100,000 incidents from across eighty-two countries. The results of the analysis provide key insights into the constantly evolving world of cyber-security. While it is not a quick read, it is a must read for companies that want to stay on top of today’s security risks and vulnerabilities. Without further ado, the results of this year’s report:
Financial gain was still the number one motivator behind data breaches. Industries hit hardest with confirmed data breaches this year were finance, accommodation, information, and public. 63% of confirmed data breaches involved weak, default or stolen passwords. A large majority of breaches are still caused by “miscellaneous error,” which includes incidents like sending an email to the wrong recipient and not disposing of documents properly. Phishing retained its status as the method of choice for would be hackers, and resulted in 9,576 incidents in 2015. 30% of phishing messages were opened by recipients, which is a 7% increase from last year. About 12% of the people went on to click the malicious attachment. On average, these emails get opened within two minutes. Shockingly, only 3% of targeted individuals alerted management of the phishing email.
What does all this mean? Verizon said it best, “what we have here is a failure to communicate.” These numbers establish that “the communication between the criminal and the victim is much more effective than the communication between employees and security staff.” As a result, companies should implement routine employee security awareness training and exercises, as well as, implement a hassle-free way for employees to report incidents. Companies should ensure that employees are required to regularly change passwords and cannot duplicate them across networks. Finally, companies should keep a record of common “miscellaneous errors” that have plagued the organization and then implement employee training which is targeted to minimize these errors in the future.