Essential Guide

Browse Sections
This content is part of the Essential Guide: An IT security strategy guide for CIOs
Manage Learn to apply best practices and optimize your operations.

Verizon: Human error still among the top data security threats

Verizon's 2016 Data Breach Investigations Report found human vulnerabilities and errors continue to be among companies' top data security threats.

Data breaches have become a common risk for organizations of all sizes as hackers target company information such as intellectual property and customers' personally identifiable information. But it seems individuals still aren't getting the message: Verizon's 2016 Data Breach investigations Report found cybercriminals still exploit human nature by relying on familiar attack tactics, such as phishing and ransomware.

Bryan Sartin, managing director of the Verizon RISK Team and co-author of the Data Breach Investigations Report, recently discussed the report's findings with SearchCompliance editor Ben Cole. In this Q&A, Sartin explains the biggest data security threats facing companies today and why basic, but proven, information protection processes can go a long way toward offsetting vulnerabilities.

What were some of the key findings from the 2016 Data Breach Investigations Report? Was there anything in particular that stood out from a threat standpoint or that you found surprising?

Bryan Sartin, managing director of the Verizon RISK TeamBryan Sartin

Bryan Sartin: Financially motivated attacks did make a big upturn, and are a larger piece of the overall threat landscape than they have been in a long time. You also have the incredible role that commonality plays both in the vulnerabilities and also the threat tactics. Almost 70% [of] the initial intrusion involves the crafty combination of social engineering malware and exploited vulnerabilities that constitute spear phishing.

There has been tons of talk about spear phishing and how dangerous it is. But when you say that across all of the criminals' motivations, from espionage to financially motivated attacks, almost 70% now involve that technique as the initial avenue of intrusion -- that's huge. It underscores the value of countermeasures against it; it also shows how humans are the weakest part of security right now.

The future suggests it could become far easier for criminals to exploit weaknesses in the traditional vulnerabilities in computer systems. Then, if you kind of contrast that against this idea that the very vast majority, almost 98 or so percent of all vulnerabilities exploited in these data breaches, even the most complex cases are not zero day, never heard of, never-seen-before kind of exploit. In reality, they are not only known vulnerabilities, but they are more than a year old; they have been out there a long time. That, to me, makes this phishing finding just that much greater in terms of gravity.

Did the Data Breach Investigations Report find any areas that make companies particularly vulnerable from a data protection standpoint, such as lack of employee education or training on their role in protecting company information?

Sartin: There are two things that are closely related there that jump out at me: At a super high level, the fundamental is consistent application of security basics over time -- and consistent is the keyword, because most of the security and defense countermeasures that we are talking about are not a revelation. I'd like to say cyberattacks are so complex and so fast-moving, the only way to counter these is with this magical solution, but that is not how it works.

Sophistication and ingenuity are not necessary for the attackers, and that means basic security hygiene is what matters the most in terms of effective defensive countermeasures.
Bryan Sartinmanaging director, Verizon RISK Team

Unfortunately, sophistication and ingenuity are not necessary for the attackers, and that means basic security hygiene is what matters the most in terms of effective defensive countermeasures. It's security basics like two-factor authentication -- everybody already has it, everybody already understands that it's critical, but it's the consistent application of that security basic that makes a difference. Nobody seems to be applying it consistently.

One of the findings was that 63% all intrusions at some point involve the exploitation of stolen, weak, default or easily guessable credentials. That risk could be mitigated with the consistent application of two-factor authentication. That just doesn't happen.

What should companies do to offset the common data security threats identified in the report? Are there any innovative data protection best practices or strategies that companies should consider?

Sartin: One is the people-related strategy that it takes to counter phishing, and weaponizing your employee base. Not only are they your first line of defense, they are your best line of defense and method of detection. How are you positioning them in your intrusion or attack recognition systems? I see some great examples of that from customers, real simple things like on external emails that come in from outside your mail domain, how about a little 'e' in front of the subject line? Little things like that, it makes a big difference.

No. 2 is that for data that absolutely can't leak out, you have to know where it is. We've been saying this for years, but this is another stat that it's not getting worse, necessarily, but it's not getting any better. When you are still seeing that upwards of two-thirds of every record stolen or breached comes from data that victims don't know they have -- that's a staggering figure.

Do you have any predictions on the future of data breaches? Will they continue to be a threat to companies in the foreseeable future?

Sartin: The smart bet is on activism. That's where we are seeing the biggest explosion in threat actors, from the religious to the political, to any other motivations that bring these people to bear. It's also the sophistication of these attacks. The activism attacks and the diversionary tactics they use, the crowdsourced elements to them, the false flags elements, there are complexities in those that you don't find in other categories.

I expect that activism is not only going to continue to evolve to be more head and shoulders above the others in terms of sophistication and complexity and difficulty to respond effectively, it's going to climb sharply in numbers in the next few years.

 Let us know what you think: Has human error been one of your organization's top data security threats? If not, what has? Email Ben Cole, senior site editor.

Next Steps

Read more about strategies to offset data security threats, including best practices to protect mobile information and how security standards can help businesses prioritize data protection processes.

Dig Deeper on Vulnerability assessment for compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are the biggest data security threats for modern companies?
Distraction. Our company recently sent out a fake phishing email as part of our educational efforts. Many people that had been trained and knew better clicked the embedded link in the email because they were distracted by something else.
It really is amazing that people still aren't taking a minute to stop and think before they act- It's become so easy for hackers to prey on human nature and people just being oblivious to data risks. Is there any way to train people to pay attention and, basically, not be stupid when it comes to company data? Is it a matter of reminding them about about it constantly? Seems like the constant reminders and using employee mistakes as examples should not be necessary, but sounds like it might be a requirement to adequately protect company information. 
People don't listen. We tell them numerous times about the dangers when on-line or opening e-mails and they still do it anyways. What they do at home is one thing but in the business world we need to enforce the rules and policies we have set in place. 
The part of process that involves human interaction is often the weakest link in the security chain, and will continue to be so. Training can help reduce the risk, but it’s always going to be there, ready to click the link in that phishing email or using the same password for multiple accounts.
I agree sounds like the potential for human error isn't going away any time soon. But are there any specific training methods that are proving effective to prevent these types of human errors? or does the training just need to occur much more often?
People don't listen. We tell them numerous times about the dangers when on-line or opening e-mails and they still do it anyways. What they do at home is one thing but in the business world we need to enforce the rules and policies we have set in place. 
It seems that a lot of people just don't care about their own online privacy -- or they are just naive about it -- and this carries over into their attitude about data protection in the workplace. If employee errors and carelessness continue to be a threat to companies' data security, businesses might have to start putting increasingly serious repercussions in place for employees that violate the company's data protection rules.
It's unfortunate it would have to come to that, but if people start losing their jobs due to data security protocol violations, it might wake their coworkers up to their role in the company's information protection efforts. 
I think human error can be attributed to practically all security challenges that businesses face. It's convenient to blame things on computer "glitches" these days but there's almost always something with hair on top behind every such breach, outage, or related event.