Verizon released its 2015 Data Breach Investigations Report (DBIR) this week and the results are neither surprising nor encouraging: most major security breaches happen not because of super-sophisticated hacker attacks, but because everyday people continue to fall for the same types of everyday scams that have been ongoing for years.
The full 70-page DBIR, which is available as a .pdf download here, analyzed a total of 79,790 different “security incidents” and 2,122 “confirmed data breaches.”
Of those security incidents, 96% fell into one of nine different categories, identified as: “miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks, cyberespionage; point-of-sale intrusions and payment card skimmers.”
Even the most casual reader of hacking and tech-security news will recognize many of the terms on Verizon's list. The massive thefts of customer payment-card data from Target and Home Depot were among the largest point-of-sale intrusions: hackers had planted malware on certain in-store electronic payment systems, malware enabling them to steal the data off of every payment card swiped through the system.
Verizon's statistics behind cyberespionage show that astonishingly large numbers of people continue to fall for phishing scams; in the past two years, more than two-thirds of “incidents that comprise the Cyber-Espionage pattern have featured phishing,” according to the DBIR.
Phishing describes the type of scam where the scammer sends a message allegedly from someone else – anyone from Netflix to your Facebook friends, from your bank to the IRS – in hope of tricking you into giving the scammer your social security number, bank account information or any other data which an identity thief would find useful.
It can also refer to the scammer posing as someone else not to steal information from you, but to trick you into doing something – such as downloading a file attachment chockful of malware.
Last week, for example, a sheriff's department in Maine paid a $300 Bitcoin ransom to anonymous hackers who'd managed to encrypt all of the department's important computer files. The sheriff admitted that the hackers managed to plant the ransomware after somebody on the police network accidentally downloaded a virus. The downloaded virus had almost certainly come disguised as a legitimate-looking email — phishing bait, in other words.
1 out of 10
Verizon's DBIR said that, among email users who receive phishing bait messages, “23% of recipients now open phishing messages and 11% click on attachments.”
Think about that: more than one out of every ten people will open an email attachment from a sender they don't even know. And analysis of over 150,000 emails sent as part of “sanctioned tests” showed that in typical phishing campaigns, nearly 50% of users opened the emails and clicked on scammy links within the first hour.
But the typical phishing scammer doesn't have to wait nearly that long to start seeing results; the DBIR also says that on average, a typical phisher gets his first response a mere one minute and 22 seconds after sending off the first batch of spam messages.
For all the sophisticated security setups companies produce to protect themselves and their data from hackers and other threats, the biggest threat to network security remains the people on the network.