For those of you living under a rock—heads up—the Verizon Data Breach Investigations Report (DBIR) for 2019 has officially been released.
Just in case you’ve been under that rock for a really long time—the DBIR is an annual report prepared by Verizon that provides details and analysis of IT security incidents over the past year, with a specific focus on data breaches.
This year, their team pulled together real-world data from more than 41,000 security incidents and over 2,000 actual data breaches to provide insight and clarity for business owners and security managers worldwide. The detail includes everything from an industry-by-industry breakdown of what types of attacks had occurred, who was targeted, and how. The document is also a great place for snarky humor and Stan Lee references.
So—as a small business owner—should you care about the DBIR?
You should. According to Verizon, 43% of the data breach victims from 2018–2019 were small businesses. Worse, not only are small businesses more vulnerable to attack, but they are also the most likely to not recover from it.
Now, this shouldn’t be a wake-up call for anyone shopping for cybersecurity services or software, but sometimes it takes clear and cold metrics to really make the facts pop.
What were our key takeaways from the DBIR?
Some of the scariest things we read in the DBIR weren’t facts or figures—but simple statements by the analysts:
- No organization is too large or too small to fall victim to a data breach.
- No industry or vertical is immune to attack.
- Regardless of the type—or volume—of your organization’s data, someone out there is trying to steal it.
Not cool, right? It gets worse—here are some of those facts and figures:
The Sources of Malware
- 94% of malware was delivered by email.
- 45% came from common Microsoft Office documents.
- 23% were web-based.
The Insider Threat Is Growing
In the past—and in many of our favorite movies—breaches were caused by attackers from the outside. The 2019 report shows that this is no longer the case with internal actors being the root cause of 34% of the reported breaches. Admittedly, this can be a hard metric to nail down—after all, not many organizations are willing to admit that they were the ones punching themselves in the face the whole time.
Stop Using the Same Password
Stolen credentials continue to plague organizations in every sector. Worse—through techniques like credential stuffing, attackers are able to take usernames and passwords obtained through one data breach and use them to compromise personal, financial, and healthcare data on completely unrelated sites.
Check Your Privilege
In almost 80% of the compromises reported, privilege abuse was a factor in the successful attack. Misuse or loss of elevated user credentials can create havoc for businesses as attackers are able to blow gigantic holes in otherwise secure network systems.
Take Me to Your Leader(s)
Seriously, there’s a hacker out there that is desperately trying to wreck your entire leadership team. According to the DBIR, your management team—particularly C-suite folks—are 12 times more likely to be the targets of social incidents and 9 times more likely to be the target of social breaches. While this may not be a surprise to some, the growth in these data breach figures went from single digit to double this year alone.
Click-Through Rates on Mobile Attacks Growing
We’re getting phished a lot—and companies are getting better at establishing security programs that raise awareness and improve employee security awareness to combat the threat. In tests done by Verizon, they’re seeing significant decreases in target click-through rates in phishing simulations. The problem? Mobile users don’t seem to be taking these lessons to heart—and are the bulk of those getting slammed by email-based spear phishing and social media attacks.
Add it to your toolkit
Security threats are constantly evolving, and business owners need to use every tool in their kit to keep pace with that change. The DBIR is an excellent resource to help you understand not only what tools (like LanScope Cat!) you should be using, but also how they can be used for best effect. The best defense against any threat is knowledge. Know what’s going on in your network. How your workforce is using devices. Who is accessing what data and when. There are solutions to help small businesses gain this knowledge and to do so without a big business budget.
Publications like the DBIR provide an overall threat assessment that allows organizations to take the necessary steps to recognize them—and tools like LanScope Cat help stop them.