Notable industry stats include the following:
- Tallying more than 50% of the total, Public Administration and Manufacturing were most prone to social breaches like phishing (not including botnet-driven attacks).
- 94% of breaches within the Manufacturing sector were related to cyber-espionage, and 90% of the data compromised in these breaches was classified as “secret” data (e.g., R&D information). Many breaches in this sector begin with a phishing attack at the employee level.
- In the Retail industry, the most common method of web application compromise was the use of credentials that were stolen from customers during phishing attacks.
- Errors, theft, and loss continue to plague the Healthcare industry, with nearly 30% of all breaches in this space linked to misdelivery, improper disposal, and lost assets.
- Cyber-espionage and human errors were prevalent patterns in the Education industry, and social components factored into the majority of attacks in the space, which saw a lot of “combination attacks” (e.g., social + hacking, social + malware, and social + hacking + malware).
Security Awareness Training Is Recommended
Like many other studies, the DBIR makes reference to the need for better end-user understanding of and participation in breach prevention. From knowledge of policies to implementation of cybersecurity best practices, the study offered several practical pieces of advice to consider in addition to technical safeguards:
Train employees and students on security awareness, and encourage/reward them for reporting suspicious activity such as potential phishing or pretexting attacks.
Pay attention to what you are doing. Many of the problems in Healthcare are errors that could have been prevented.
Train your employees with regard to phishing, and provide them with a quick and easy way to report suspicious emails.
Have a process for approving payments that includes some form of communication other than email. Train the employees who can pull the trigger on money transfers that they will never ever be asked over email to transfer funds outside of the documented approval policy.
Reporting is key to limiting the effectiveness of phishing that makes it past your email filters.
We leave you with this one last quote from the DBIR that is similar to security awareness and training advice we’ve offered in the past:
You’re never going to completely stop phishing emails getting through and being clicked, but if you have a good process for detecting and handling them, they’re less likely to impact your organization.
* For reference, Verizon makes a clear distinction between a security incident and a security breach. An incident is “a security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is “an incident that results in the confirmed disclosure — not just the potential exposure — of data to an unauthorized party.”