People Still at the Core of Security Incidents: 2015 DBIR

The 2015 Data Breach Investigations Report, just released by Verizon, continues to adopt the methodology of nine common threat patterns, as well as expanding into discussions of threats from mobility and the Internet of Things (IoT) and the financial impact of a data breach.This year’s report looked at 12 terabytes of data, combining data from 70 organizations, 79,790 security incidents from 61 countries, as well as 2,122 confirmed data breaches.

For the first time, the 2015 DBIR examines incidents in which endpoint devices are used as an entry point to compromise other systems. For example, the report states that two-thirds of incidents that compromise the cyber-espionage pattern have featured phishing:

“The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network."

Verizon has put forth a new estimation for the financial impact of a data breach, including variabilities for the type of lost record (credit card, medical health record, etc) and the total number of records compromised. This new model predicts that a breach affecting 10 million records will fall between $2.1 million and $5.2 million in 95% of breach incidents, though could range up to $73.9 million. These costs escalate for even larger data breaches.

Insights from the report include:

• 70% of cyberattacks are not sophisticated, relying instead on a combination of phishing and hacking, often involving a secondary victim
• In 60% of cases, cyberattacks are successful within minutes
• 70-90% of malware samples are unique to an organization (though this does not make it either advanced or targeted)
• Many vulnerabilities are tied to unmatched systems, many traced back to a vulnerability from 2007
• 83% of security incidents are tied back to 9 basic threats: miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks, cyberespionage; point-of-sale intrusions and payment card skimmers
• Physical theft / loss make up 15.3% of security incidents, with the highest prevalence in public, healthcare and financial services
• 90% of all security incidents are tied back to “people” - mistakes, phishing, bad behaviour, lost stuff, etc
• 15% of lost or stolen devices take days to discover, likely because employees are slow to report the incidents
• In one quarter of data breaches, it takes weeks or months to contain a data breach

As we have postulated, cyberattacks come from many different vector points. It only takes one missing device, one use of insecure WiFi, one compromised password, one click of a phishing email (and so forth) to compromise the entire corporate network. BYOD, mobility, the cloud, the IoT—all of these trends increase the exposure and potential risk of a data breach. Focusing solely on protecting the network to prevent cyberattack would leave organizations at risk for cyberattack from insecure endpoint devices.

The DBIR shows that organizations can make substantial improvements in their security positioning to reduce the number of security incidents that happen each year. Simple steps such as rolling out patches, which can now be automated with Absolute Manage, to making your employees your first line of defense, encrypting data (and proving encryption with Absolute Computrace), and including physical security can go a long way to preventing many data breaches.

Absolute Software is proud to work with Verizon as a Technology Alliance Partner. Together, we provide simplified business processes to customers who use Absolute solutions and Verizon wireless, allowing customers to save administrative time and resources.