Verizon’s 2017 Data Breach Investigations Report paints a bleak picture of the current state of cyber security
Cyberespionage is now the most common type of cyber attack seen in manufacturing, education and the public sector, according to Verizon’s 2017 Data Breach Investigations Report (DBIR).
More than 300 of 2,000 breaches analysed were espionage-related, with 90 percent of these being attributed to state-affiliated groups.
According to the report, most of these attacks started life as phishing emails and have become more prevalent due to the proliferation of research, prototype products and confidential personal data.
This year marks the tenth anniversary edition of the Verizon DBIR report, which correlates cyber security data from 65 contributing organisations, over 42,000 security incidents and 1,935 breaches from 84 countries.
The report suggests that cyber criminals have seriously upped their games over the last 12 months, with all manner of attacks on the rise and more businesses and consumers at risk than ever before.
For example, there was a 50 percent risk in ransomware compared to last year’s DBIR report as criminal gangs increased their efforts to extort money from victims, making it the fifth most common variety of malware in 2016, up from the 22nd in 2014.
The healthcare sector was the most heavily hit, with ransomware accounting for 72 percent of all malware incidents due to factors such as a lack of investment in cyber security and a reliance on outdated software.
The prevalence of phishing attacks has also been heavily publicised and is still a go-to technique for cyber criminals. According to Verizon, phishing was present in 21 percent of all security incidents – up from just 8 percent the year before – and 43 percent of data breaches utilised phishing in some way.
This increase is likely to be down to the success rate hackers are enjoying. One in twenty (7.3 percent) of phishing attacks were successful, with 6.5 percent of victims clicking on a malicious link or email attachment a second time and 2 percent falling into the trap more than three times.
Furthermore, the tactic of ‘pretexting’, a form of social engineering in which an individual lies to obtain confidential data, is on rise. Employees in financial departments were the most-commonly targeted, with email being the most common communication vector (88 percent), followed by phone calls (10 percent).
Organised criminal groups were behind 51 percent of security breaches, with state-affiliated groups being involved in 18 percent and financial services firms were the most prevalent victims. They were targeted in 24 percent of breaches, with financial gain (72 percent) and espionage (21 percent) being the top two motives for cyber criminals.
“Cyber-attacks targeting the human factor are still a major issue,” said Bryan Sartin, executive director of Verizon’s global security services division. “Cybercriminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: Eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year.”
The report certainly paints a somewhat dark picture about the current state of cyber security, but there are clear areas in which businesses can improve.
The report suggests that organisations are still getting the basics wrong, with 81 percent of hacking-related breaches succeeding through either weak, stolen or easily guessable passwords.
To counter modern attacks, Verizon advises businesses to adopt the use of two-factor authentication to limit the damage that can be done with stolen credentials, keep data on a ‘need to know’ basis, ensure all sensitive data is encrypted and train staff better to spot the warning signs of attacks such as phishing.
“Our report demonstrates that there is no such thing as an impenetrable system, but doing the basics well makes a real difference,” Sartin added. “Often, even a basic defense will deter cybercriminals who will move on to look for an easier target.”
Are you a security pro? Try our quiz!