BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Data breaches have become a common risk for organizations of all sizes as hackers target company information such as intellectual property and customers' personally identifiable information. But it seems individuals still aren't getting the message: Verizon's 2016 Data Breach investigations Report found cybercriminals still exploit human nature by relying on familiar attack tactics, such as phishing and ransomware.
Bryan Sartin, managing director of the Verizon RISK Team and co-author of the Data Breach Investigations Report, recently discussed the report's findings with SearchCompliance editor Ben Cole. In this Q&A, Sartin explains the biggest data security threats facing companies today and why basic, but proven, information protection processes can go a long way toward offsetting vulnerabilities.
What were some of the key findings from the 2016 Data Breach Investigations Report? Was there anything in particular that stood out from a threat standpoint or that you found surprising?
Bryan Sartin: Financially motivated attacks did make a big upturn, and are a larger piece of the overall threat landscape than they have been in a long time. You also have the incredible role that commonality plays both in the vulnerabilities and also the threat tactics. Almost 70% [of] the initial intrusion involves the crafty combination of social engineering malware and exploited vulnerabilities that constitute spear phishing.
There has been tons of talk about spear phishing and how dangerous it is. But when you say that across all of the criminals' motivations, from espionage to financially motivated attacks, almost 70% now involve that technique as the initial avenue of intrusion -- that's huge. It underscores the value of countermeasures against it; it also shows how humans are the weakest part of security right now.
The future suggests it could become far easier for criminals to exploit weaknesses in the traditional vulnerabilities in computer systems. Then, if you kind of contrast that against this idea that the very vast majority, almost 98 or so percent of all vulnerabilities exploited in these data breaches, even the most complex cases are not zero day, never heard of, never-seen-before kind of exploit. In reality, they are not only known vulnerabilities, but they are more than a year old; they have been out there a long time. That, to me, makes this phishing finding just that much greater in terms of gravity.
Did the Data Breach Investigations Report find any areas that make companies particularly vulnerable from a data protection standpoint, such as lack of employee education or training on their role in protecting company information?
Sartin: There are two things that are closely related there that jump out at me: At a super high level, the fundamental is consistent application of security basics over time -- and consistent is the keyword, because most of the security and defense countermeasures that we are talking about are not a revelation. I'd like to say cyberattacks are so complex and so fast-moving, the only way to counter these is with this magical solution, but that is not how it works.
Bryan Sartinmanaging director, Verizon RISK Team
Unfortunately, sophistication and ingenuity are not necessary for the attackers, and that means basic security hygiene is what matters the most in terms of effective defensive countermeasures. It's security basics like two-factor authentication -- everybody already has it, everybody already understands that it's critical, but it's the consistent application of that security basic that makes a difference. Nobody seems to be applying it consistently.
One of the findings was that 63% all intrusions at some point involve the exploitation of stolen, weak, default or easily guessable credentials. That risk could be mitigated with the consistent application of two-factor authentication. That just doesn't happen.
What should companies do to offset the common data security threats identified in the report? Are there any innovative data protection best practices or strategies that companies should consider?
Sartin: One is the people-related strategy that it takes to counter phishing, and weaponizing your employee base. Not only are they your first line of defense, they are your best line of defense and method of detection. How are you positioning them in your intrusion or attack recognition systems? I see some great examples of that from customers, real simple things like on external emails that come in from outside your mail domain, how about a little 'e' in front of the subject line? Little things like that, it makes a big difference.
No. 2 is that for data that absolutely can't leak out, you have to know where it is. We've been saying this for years, but this is another stat that it's not getting worse, necessarily, but it's not getting any better. When you are still seeing that upwards of two-thirds of every record stolen or breached comes from data that victims don't know they have -- that's a staggering figure.
Do you have any predictions on the future of data breaches? Will they continue to be a threat to companies in the foreseeable future?
Sartin: The smart bet is on activism. That's where we are seeing the biggest explosion in threat actors, from the religious to the political, to any other motivations that bring these people to bear. It's also the sophistication of these attacks. The activism attacks and the diversionary tactics they use, the crowdsourced elements to them, the false flags elements, there are complexities in those that you don't find in other categories.
I expect that activism is not only going to continue to evolve to be more head and shoulders above the others in terms of sophistication and complexity and difficulty to respond effectively, it's going to climb sharply in numbers in the next few years.
Let us know what you think: Has human error been one of your organization's top data security threats? If not, what has? Email Ben Cole, senior site editor.
Read more about strategies to offset data security threats, including best practices to protect mobile information and how security standards can help businesses prioritize data protection processes.