The number of data breaches affecting companies of all sizes has been growing exponentially over the past decade, according to Verizon’s 2016 Data Breach Investigations Report. And the cause of many of those data breaches? “Miscellaneous errors” - also known as employee mistakes. That’s right...the biggest threats to an organization's security cannot be remedied with antivirus, firewalls, and network monitoring alone (though those things are important). It takes employee training and awareness to prevent cyber attacks.
The most common attack that employees fall for are phishing scams, which are nothing new. Phishing emails have been used to steal login credentials, install malware, and trick people into sending money since the birth of email. Phishing has “picked up dramatically over the past year,” according to Verizon’s report, and it is used in 7 out of 9 security incidents.
It has become too easy for hackers. Because of the busyness of our inboxes, employees waste no time in clicking on anything that comes in. Verizon found that “the median time for the first user of a phishing campaign to open the malicious email is one minute, 40 seconds” and “the median time to the first click on the attachment was three minutes, 45 seconds.”
“Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff,” the report said.
Once attackers have successfully tricked victims into opening the email and possibly downloading an attachment, they have the opportunity to perform a “three-pronged” attack:
First, they will install malware on the device using an attachment or by having victims click a link to a malicious site. Once malware is installed, they can install additional malware that allows them to hold files for ransom or log keystrokes and steal credentials. 63% of attacks involve the use of default, stolen, or weak passwords. Once the attackers have what they want (passwords) they can then log into more accounts such as POS systems and online bank accounts. Their final goal is usually to steal money or company secrets.
Most data breaches are not discovered by the victim - they are discovered by third party security researchers, often weeks or months after the hackers first made contact.
In addition to phishing emails, employees struggle with proper disposal of company information, lost and stolen devices, misconfiguration of IT systems, and sending sensitive information to the wrong people.
The rampant human errors highlight the need for basic security protocols:
- Use two factor authentication for all accounts
- Patch known vulnerabilities in software right away
- Review account logins to monitor malicious activity
- Encrypt all sensitive data
- Train employees about the threats that face them
- Use a good hardware firewall to filter out spam emails
- Limit access to data
“You might say our findings boil down to one common theme – the human element,” said Bryan Sartin, executive director of Verizon Enterprise Solutions. “Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we've known about for more than a decade now. How do you reconcile that?”