Verizon’s Data Breach Investigations Report
Each year Verizon releases a report summarizing IT security breaches and across multiple industries. The Data Breach Investigation Report, is well written, easily readable, and free to download.
Below are several highlights and our additional guidance.
“74% of all breaches include the human element” – In other words, user actions are fully or partly responsible for 3 out of 4 security breaches. The attack surface of a multinational organization is considerably different from a home user, but both are fair game for bad guys. Review your particular threat model and implement baseline security controls appropriate for your environment.
“Three primary ways attackers access organizations are stolen credentials, phishing, and exploitation of vulnerabilities” – Use two-factor authentication wherever possible. Don’t respond to emails from people you don’t know. Never provide your username and password via phone, email or text message; even if you know the company. (Microsoft will NEVER send an email or phone call requesting your sign-in credentials.) Apply all security updates and patches to your computer, phone, and tablet on a monthly basis.
“The top vector for attackers to obtain credentials, implement a phishing attack, or exploit vulnerabilities is via web applications.” – Basically, the web browser is the primary way for an attacker to gain access to your system. We’re not here to tell you what browser to use. Whatever browser you use, install these two extensions, Privacy Badger and uBlock Origin. Also be sure to clear your browser cache frequently.
“The median click rate for email phishing campaigns is 5.8%” – A random email sent to 100 email addresses, will be opened by 6 people ! If you don’t know the person, delete the email. If the message is truly important, the sender will find a way to reach you.
“Devices and media are still more likely to be lost by internal actors than stolen by external ones.”– 80% of mobile devices are lost, not stolen.
“We’re too small, no one wants our data.” – If I’m a bad guy, do I spend my time trying to hack large companies with armies of super smart IT folks deploying robust security techniques and procedures? My time is better spent on small and midsize organizations with minimal IT staff and who usually don’t understand the value of their data. To paraphrase Jeff Foxworthy, “You know you’re a risk if the security plan consists of enabling Comcast’s firewall, copying QuickBooks company files to a USB drive, and taping passwords to the bottom of the keyboard .”