Insider threat once again tops the list of enterprise cyber security threats in the 2016 Verizon Data Breach Investigations Report (DBIR). For the second straight year, Verizon research showed that the average enterprise is less likely to have its data stolen than to have an end user give away sensitive credentials and data—whether unintentionally or maliciously.
From insecure storage, transfer or disposal of sensitive information, to lost or stolen endpoint devices, to intentional data theft and privilege abuse, to simply entering the wrong recipient name in the email address field, the vast majority of breaches can be traced back to end users. “Our findings boil down to one common theme,” said Verizon Enterprise Solutions Executive Director of Global Services Bryan Sartin, “the human element.”
Overall, 2015 trends persist in 2016
The 2016 DBIR pulls trends and insights from more than 100,000 incidents—and 3,141 confirmed data breaches—across 82 countries. Is there anything groundbreaking in this year’s DBIR? Nope. Verizon reports “no drastic shifts” and no “show-stopping talking point.” For the most part, last year’s trends and patterns continued. But to “strike a deceased equine” (as Verizon put it), these persistent trends bear reviewing.
Phishing still works—end users are more likely than ever to click the link
The 2016 DBIR found hackers increasingly targeting devices and people instead of servers and networks, with phishing attacks growing from less than 10 percent of all attacks in 2009 to more than 20 percent in 2015. Why? Because people are more likely than ever to “click the link.” Verizon says 12 percent of people tested will click on a phishing attachment—up from 11 percent in 2014. Also of note: the same study found only three percent of users that receive a phishing email report the attack attempt. The IT department is stuck between a rock and a hard place. More people fall for the scam, and no one gives IT a heads-up.
Privilege abuse is still a top insider threat—with an emerging twist
Traditional privilege abuse involves an internal user stealing or corrupting sensitive data—whether for personal gain or in collusion with an external actor. Verizon noted an emerging twist: external parties with legitimate access credentials (a customer or vendor, for example) colluding with another external actor. Verizon also showed that insider threat detection is extremely difficult in cases of privilege abuse, with most incidents taking months for the enterprise to discover. This year, privilege abuse was the top defined category of cyber security threats, second only to the catchall category of “Miscellaneous Errors.”
Something new: the three-pronged attack
Cybercriminals aren’t just getting smarter—they’re growing more patient. Verizon highlighted what it called the “new three-pronged attack”:
- Phishing email lures user to malicious link or attachment.
- Clicking the link installs malware that targets a user’s various digital access credentials. Sophisticated malware can even compromise other users’ credentials through this one entry point.
- Those credentials are later used in other attacks.
The first challenge here is tracing the subsequent attack back to the initially-targeted user and the original phishing email. The second is figuring out just how deep the attack went—which credentials were compromised and which data may have been exposed or stolen. Playing the “long con” gives cybercriminals a chance to slowly, silently extend the reach of the breach, with users and IT unaware.
Biggest cost: tracking down data during breach recovery
With sophisticated attacks leveraging insider credentials to go deeper and broader, it’s no surprise that the biggest cost of an enterprise data breach comes from the daunting task of forensic analysis. Figuring out what data was compromised, and tracking down copies of the files, puts an enormous strain on IT resources, and accounts for nearly 50 percent of the average total cost of an enterprise data breach.
TL;DR—Breaches are inevitable; data visibility is key
The DBIR is great reading (really—you’re guaranteed a laugh or two), but it’s 85 pages long. Here’s the quick-and-dirty:
- “No locale, industry or organization is bulletproof.” In other words, breaches are inevitable.
- Know your biggest threats. Take five minutes to check out the tables on pages 24 and 25, showing incident patterns by industry.
- “You cannot effectively protect your data if you do not know where it resides.” Breach remediation is crucial. Data visibility is key.
Next, we’ll tackle this last point—why data visibility is essential to effective breach remediation, and how an enterprise can enhance data visibility.
Code42 Forensic File Search