Business and other organisations are failing to learn the lessons of past cyber attacks, the latest Verizon Data Breach Investigations Report (DBIR) reveals.
The analysis of 2,260 breaches and more than 100,000 incidents at 67 organisations in 82 countries shows that organisations are still failing to address basic issues and well-known attack methods.
“This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions.
“We continue to see the same kind of attacks exploiting the same vulnerabilities because many organisations still lack basic defences,” he told Computer Weekly.
The 2016 DBIR shows, for example, that nearly two-thirds of confirmed data breaches involved using weak, default or stolen passwords.
The report also shows that most attacks exploit known vulnerabilities that organisations have never patched, despite patches being available for months – or even years – with the top 10 known vulnerabilities accounting for 85% of successful exploits.
“User security awareness continues to be overlooked as organisations fail to understand that they need to make their employees the first line of defence,” said Dine.
“Organisations should be investing in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious,” he said.
For this reason, Dine said it is important for organisations to have the processes in place that make it easy for employees to report security issues.
Phishing is one area where increased user awareness could help, said Dine, especially as the use of fraudulent emails to steal credentials or spread malware increased dramatically in the past year.
“If we could reduce phishing through user awareness training, we could probably reduce a lot of the other stuff as well because many of the attacks start with a simple phishing email,” said Dine.
The study shows that 30% of phishing messages were opened – up from 23% in the 2015 report – and 12% clicked on malicious attachments or links that installed malware.
In previous years, phishing was a leading attack pattern for cyber espionage, but now features in most cyber attacks.
According to Verizon researchers, this technique is amazingly effective and offers attackers a number of advantages, such as a very quick time to compromise and the ability to target specific individuals and organisations.
Human error cause of most attacks
Underlining the importance of user awareness and the human element of security, the report shows that human error accounts for the largest proportion of security incidents, with 26% of these errors involve sending sensitive info to the wrong person.