Verizon’s 2019 DBIR: Phishing Is the Top Threat Action

Verizon recently released the 2019 Data Breach Investigations Report (DBIR), its annual analysis of real-world security events impacting organizations around the globe. The report draws on data from 73 contributing organizations, including Proofpoint Security Awareness Training. It analyzes 41,686 security incidents, of which 2,013 were confirmed data breaches.*

Phishing Is the No. 1 Threat Action in Breaches

As in previous years, the 2019 DBIR illustrates the prevalence of social engineering and phishing attacks, which underscores the need for a people-centric approach to cybersecurity. Phishing was the top threat action: it was involved in 32% of confirmed breaches, as well as 78% of cyber-espionage incidents.

It is also worth noting that 28% of breaches involved malware infections, and 29% involved the use of stolen credentials—both of which are frequently accomplished through phishing attacks.

After phishing, pretexting is the second most common social threat action. Pretexting includes some dialogue or back-and-forth, especially over the phone. Attackers often use pretexting to target employees in finance or human resources and may impersonate executives as part of a business email compromise (BEC) attack.

Attackers Target End Users Across Industries

Although data breaches pose a risk for every type of organization, some industries are more susceptible to specific kinds of attack. Accordingly, the DBIR analyzes how threat actors, motives, tactics, and attack patterns impact different industries. The following highlights speak to the importance of mitigating end-user risk through security awareness training:

• Education – Many breaches in education are due to “poor security hygiene and a lack of attention to detail,” suggesting the need for security awareness training. Cloud-based email services are frequently compromised in this vertical, largely due to phishing links that connect to fake login pages.
• Financial – Phishing is a major threat in the financial industry, with attackers using social engineering to trick users into providing their web-based email credentials. In addition to recommending security awareness training to arm employees against phishing, the DBIR suggests that financial organizations inform their customers about cybersecurity best practices.
• Healthcare – In this industry, insider threats—both malicious and unintentional—pose the greatest risk for breaches. Human error is at the root of one major issue: employees delivering sensitive information and documents to the wrong recipients. Credential compromise also plagues healthcare organizations, with many phishing attacks focusing on credential theft.
• Manufacturing – Most breaches in this industry are financially motivated (68%), though cyber-espionage (27%) is more prevalent than in other verticals. Many of the breaches start with phishing or pretexting and result in the loss of competitive information.
• Professional Services – Phishing, credential theft, and business email compromise (BEC) are prominent attack types in this vertical. Pretexting plays a role in roughly 80% of fraudulent transaction incidents.
• Public Administration – Cyber-espionage is the main motive in this industry: it increased from 25% of breaches in 2017 to 42% in 2018. These attacks often start with malware delivered via phishing emails containing malicious attachments.

Organizations Should Take a People-Centric Approach to Security

With cybercriminals regularly targeting people rather than technical vulnerabilities, organizations should expand their view of cybersecurity and take a people-centric approach. The DBIR offers a number of recommendations for preventing breaches, several of which involve educating end users:

• Provide employees with frequent security training, which “can help reduce the likelihood they will be reeled in by one of those attacks.”
• Implement two-factor authentication everywhere: “Use strong authentication on customer-facing applications, any remote access, and cloud-based email.”
• Improve “phishing reporting to more quickly respond to early clickers and prevent late clickers,” using rewards to motivate users if possible. A fast response can help reduce the amount of time a threat remains active within a corporate network and prevent more people from clicking on the phishing email.

While these recommendations may seem obvious to many infosec professionals, that doesn’t mean they aren’t highly effective—or that organizations are effectively applying them. “There is an urgent need for businesses—large and small—to put the security of their business and protection of customer data first,” says Bryan Sartin, executive director of security professional services at Verizon. “Often even basic security practices and common sense deter cybercrime.”

* For reference, Verizon makes a clear distinction between a security incident and a security breach. An incident is “a security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is “an incident that results in the confirmed disclosure—not just the potential exposure—of data to an unauthorized party.”