Cybercriminals are way ahead of the game against defenders, according to Verizon’s ninth annual Data Breach Investigations Report (DBIR). And hackers are so far ahead that they don’t even have to switch up their game plan…the same old tactics are still working just fine.
The benchmark report provides an analysis of over 100,000 security incidents and 2,260 confirmed data breaches that occurred in 2015 and were handled by a variety of organizations, including the US Secret Service, the US Department of Homeland Security, and various law enforcement agencies.
The study shows that businesses remain largely unsuccessful in their attempts to defend against hacking or malware-based attacks. And attackers are only getting faster. More than 99% of successful attacks compromise targeted systems within days, and two-thirds are able to begin siphoning data immediately (21% do it in minutes).
The previous year’s DBIR noted that the number of breaches detected in “days or less” had improved, but that trend reversed in 2015, with fewer than 25% of breaches detected within the same timeframe.
Taking the previous two paragraphs together means hackers routinely make their getaway with stolen data before anyone even notices.
Even worse, legitimate user credentials were used in nearly two-thirds of all breaches due to weak, default or stolen passwords.
Traditional threats such as malware and weak passwords continue to be the most used infiltration methods, with phishing being an especially large problem and a major factor in most breaches. The DBIR shows that 30% of phishing messages were opened – up from 23% in the 2015 report – and 12% clicked on malicious attachments or links that installed malware.
Incredible, isn’t it, that with all the publicity surrounding user-initiated breaches, the likelihood that a phishing attack would be successful increased by 30% year-over-year. Beyond vulnerability to social engineering, the human factor was responsible for the largest proportion of security incidents, with 26% of these errors involve sending sensitive info to the wrong person. Other errors include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones.
Hype aside, the newer security risks associated with the Internet of Things and mobile phones were virtually non-factors in real-world attacks last year.
Bottom line: User security awareness and training are still the most important part of any security strategy. Ignore it at your peril.
Images Source: Verizon