Employees emerged yet again as a major cyber-risk to organizations last year, accounting for 28% of breaches with human error a major factor contributing to data loss, according to Verizon.
The firm’s annual Data Breach Investigations Report for 2018 analyzed 2216 confirmed data breaches around the world and over 53,000 incidents from the previous year.
Although ransomware was pegged as the biggest malicious software threat, found in 39% of malware-related cases, the human element was highlighted as a major source of weakness in organizations.
In fact, user error was a factor in 17% of breaches, just behind the top pattern of web application attacks. In this case, “error” includes misconfigurations, of the sort seen often over the past year affecting firms with Amazon cloud installations, as well as publishing errors. However, “mis-delivery” was the biggest factor here.
It’s easy to do when using email to send sensitive data, especially with auto-fill, according to Verizon principal, Laurence Dine.
“That can best be prevented through regular training to remind employees of the sensitivities of the data they’re handling and of the need to pay close attention to who they’re sending emails to. For the occasions when mistakes do still happen, encryption can help to prevent files being opened by anyone other than the correct recipient,” he told Infosecurity.
Phishing is another key means by which employees are exposing their organization to the risk of breaches. Financial pretexting and phishing represent 93% of all breaches investigated in the report, with email the main entry point, and 4% of targets in any given phishing campaign will click through, according to Verizon.
“The insider human factor continues to be a key weakness across our analysis, given the regularity with which employees are still falling victim to social attacks,” said Dine. “Companies are nearly three-times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education. Ultimately, employees should be a business’s first line of defense, rather than the weakest link in the security chain.”
Healthcare was the industry most affected by breaches (24%), and also the only sector in which insider threats (56%) outweighed those from external attackers (43%).
“Measures to protect against these vulnerabilities include segmenting clients from critical assets and using strong authentication measures, so hackers need more than a keylogger to compromise a user device. If the organization uses email in the cloud, then two-factor authentication is also advisable,” advised Dine.
“Organizations should also train responders along with the end-user base, testing their ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm the existence of data exfiltration. It can also help to provide role-specific training to users that are targeted based on their privileges or access to data. It’s particularly important to train employees with access to employee data or the ability to transfer funds to be more sceptical, as they are likely targets within the organization. It isn’t paranoia if someone really is out to get them.”
Overall, external attackers continue to be the number one breach threat by far, accounting for 73%, with half of those cybercrime gangs and 12% state-sponsored actors.
However, over-three-quarters (76%) of breaches were financially motivated, which illustrates not only the large numbers of cyber-criminals launching attacks, but also the persistent minority of malicious insiders.
“Deliberate misuse is the other key factor we see with insider threats, where employees are abusing their privileges to access data inappropriately. In these cases, having policies and processes in place to monitor when sensitive data is accessed is imperative to spotting any suspicious activity,” said Dine.
“It’s also advisable to make all employees aware via security training and awareness promotion that if they are known to have viewed any sensitive data without a genuine business need, then there is potential for disciplinary action to be taken.”