Cyber criminals are continuing to exploit human nature as they rely on familiar attack patterns such as phishing, and increase their reliance on ransomware, finds the Verizon 2016 Data Breach Investigations Report.
This year’s report points to repeating themes from prior-year findings and storylines that continue to play off of human frailty, including:
- 89% of all attacks involve financial or espionage motivations.
- Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85% of successful exploits.
- 63% of confirmed data breaches involve using weak, default or stolen passwords.
- 95% of breaches and 86% of security incidents fall into nine patterns.
- Ransomware attacks increased by 16% over 2015.
- Basic defenses continue to be sorely lacking in many organisations.
‘The increasing importance of the Data Breach Investigations Report – DBIR – to businesses, law enforcement and governmental agencies demonstrates a strong desire to stay ahead of cyber crime,’ said Chris Formant, president of Verizon Enterprise Solutions.
‘Now more than ever, the collaboration and contributions evidenced in the DBIR from organisations across the globe are required to fully understand the threat landscape. And understanding is the first step toward addressing that threat.’
Phishing tops list of increasing concerns
One area that cyber criminals have exploited dramatically over the prior year is phishing, where end users receive an email from a fraudulent source. Alarmingly, 30% of phishing messages were opened – up from 23% in the 2015 report – and 13% of those clicked to open the malicious attachment or nefarious link, causing malware to drop and a foothold gained by cyber criminals.
In prior years, phishing was a leading attack pattern for only cyber espionage and has now spread to seven of the nine incident patterns in the 2016 report. This technique is amazingly effective and offers attackers a number of advantages such as a very quick time to compromise and the ability to target specific individuals and organisations.
Adding to the list of human errors are those perpetrated by the organisations themselves. Labelled ‘miscellaneous errors,’ this incident pattern group takes the No. 1 spot for security incidents in this year’s report.
In fact, 26% of these errors involve sending sensitive info to the wrong person. Other errors in this category include: improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones.
‘You might say our findings boil down to one common theme – the human element,’ said Bryan Sartin, executive director of global security services, Verizon. ‘Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?’