NEW YORK—A new study shows that cybercriminals continue to exploit human nature, as people fail to properly secure their electronic devices and fall prey to familiar attack patterns such as phishing.
Verizon said its 2016 Data Breach Investigations Report highlights “repeating themes” from prior year's findings, including:
- Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85% of successful exploits.
- Sixty-three% of confirmed data breaches involve using weak, default or stolen passwords.
- Ninety-five% of breaches and 86% of security incidents fall into nine patterns.
- Ransomware attacks increased by 16% over 2015 findings.
- Basic defenses continue to be sorely lacking in many organizations.
"The Data Breach Investigations Report's increasing importance to businesses, law enforcement and governmental agencies demonstrates a strong desire to stay ahead of cybercrime," said Chris Formant, president of Verizon enterprise solutions. "Now more than ever, the collaboration and contributions evidenced in the DBIR from organizations across the globe are required to fully understand the threat landscape. And understanding is the first step toward addressing that threat."
Verizon said one area that has picked up dramatically over the prior year is phishing. Alarmingly, 30% of phishing messages were opened – up from 23% in the 2015 report – and 13% of those clicked to open the malicious attachment or nefarious link.
In prior years, phishing was only a leading attack pattern for cyber-espionage and has now spread to seven of the nine incident patterns in the 2016 report.
“Its popularity has risen because it is an amazingly effective technique and offers attackers a number of advantages such as a very quick time to compromise and the ability to target specific individuals and organizations,” Verizon said.
Adding to the list of human error are those caused by end users of an organization. “Miscellaneous errors” take the No. 1 spot for security incidents in the latest report. These can include improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets such as laptops and smartphones. In fact, 26% of these errors involve people mistakenly sending sensitive information to the wrong person.
"You might say our findings boil down to one common theme -- the human element," said Bryan Sartin, executive director of global security services, Verizon enterprise solutions. "Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we've known about for more than a decade now. How do you reconcile that?"
Of increasing concern to Verizon's security researchers is the speed in which cybercrime is committed. In 93% of cases, it took attackers minutes or less to compromise systems and data exfiltration occurred within minutes in 28% of the cases, Verizon said.