Odds are your organization will be breached through a hack than any other method, and most likely by attackers leveraging users’ weak or stolen passwords, according to the annual Verizon Data Breach Investigations Report.
The 10th annual report from the U.S.-based communications giant, issued Thursday, is as usual full of data from 2016 from thousands of incidents reported around the world massaged in various colourful ways. But the bottom line is cyber espionage (stealing information) and ransomware are increasing, and phishing is (still) a leading attack vector.
Ransomware moved from the 22nd most common variety of malware in the 2014 report to the fifth most common,
This year’s analysis was done on 42,068 incidents (defined as a security event that compromises the integrity, confidentiality or availability of an information asset) and 1,935 breaches (actual data loss) last year from more than 84 countries, including Canada. Data was contributed by a number of security vendors.
Despite the concern of companies and their security staff about employees, only 25 per cent of incidents looked at were perpetrated by insiders, roughly consistent with Verizon data for the past decade. The odds are four to one you’ll be attacked by someone from outside the company.
And depending on the industry sector, the odds are more likely you’ll be attacked by a criminal group (51 per cent of the studied group) than a state-affiliated actor (18 per cent).
Just over 60 per cent of breaches involved hacking, but that’s not the big news: Eighty-one per cent of hacking-related breaches leveraged stolen and/or weak passwords. Forty-three per cent involved what the report calls social attacks (including phishing, pretexting – such as spearphishing attacks on business executives – and extortion), 14 per cent of breaches involved employee errors, while another 14 per cent involved privilege misuse.
Fifty-one per cent of breaches included malware, and 66 per cent of that malware was delivered by malicious email attachments.
Finally – and distressingly – for all the money spent on detection, 27 per cent of breaches studied were discovered by third parties.
Still, the report says there is cause for hope – if only that the authors expect the data will be wisely used by companies and their CISOs.