Verizon recently published the 2019 Data Breach Investigations Report (DBIR). The DBIR is a respected source for insights on on cyberthreats plaguing businesses. This latest version of the report is the most comprehensive to date, using data provided by 73 sources from 86 countries, including 41,686 reported security incidents and 2,013 data breaches.
The 2019 DBIR Executive Summary clearly states that every industry and every organization can be the victim of a data breach, regardless of its size or the type and amount of its data. Likewise, the defensive measures put in place by organizations are constantly vulnerable to attack.
An analysis of the data can provide valuable information to organizations about the cyberthreats they are likely to encounter, allowing them to manage these risks more effectively and efficiently. Below are some highlights from the report as well as practical suggestions on how these findings can be applied to an organization’s security awareness training.
Ransomware Continues to Present a Major Threat
According to the DBIR, ransomware attacks are still common and remain a serious threat across all industries, accounting for nearly 24 percent of incidents involving malware. Cybersecurity methods, technology, and sophistication are constantly evolving. Even employees considered to be technologically proficient can fall victim to a cyberattack. Therefore, security awareness training must be current and conducted periodically to keep employees updated and vigilant to new and emerging threats. Training should be tailored to an institution’s specific needs and include real-life scenarios, relatable workplace-specific examples, and thought-provoking challenges that stimulate employees to think carefully about potential threats. It is also important to educate employees on how the attacks and attempts can occur, in addition to how to recognize and prevent them.
Executives Are Common Targets
Another key takeaway from the DBIR is that executives are increasingly becoming targets of cyberattacks, specifically social cyberattacks. A social cyberattack differs from other cyberattacks in that a social media platform is used to target business and employee accounts. According to the report, C-level executives are 12 times more likely to be targeted by a social attack that compromises data (social incident) and nine times more likely to be targeted by a social attack that exposes information (social breach).
All employees benefit from proper training. It’s particularly important that executives make training and cybersecurity a priority. They are a group specifically targeted by hackers, and having a genuine commitment to training and cybersecurity establishes the proper tone at the top. Establishing this priority trickles down throughout the company and strengthens overall compliance. This requires that executives not only support it and require it of employees, but also take the training themselves. Furthermore, executives should clearly communicate their commitment to training and cybersecurity throughout the organization.
Sloppy Mobile Habits Present Concerns
An interesting finding from the 2019 DBIR is that when it comes to clicking on social phishing attacks, more cyber incidents tend to occur when the suspicious link is on a mobile device. Mobile design can make it difficult for users to navigate webpages and applications to verify the security of the information they are viewing, such as the quality of an SSL certificate or email source information.
As more businesses include mobile devices in day-to-day operations, including development of bring-your-own-device (BYOD) policies, employee training should reinforce the potential vulnerabilities of using mobile. Targeted microlearning focused on mobile device security can be an ideal way to supplement general security awareness training.
Financially Motivated Attacks
The DBIR highlights that financial gain is found to be the most likely reason for data breaches at 71 percent, followed by espionage at 25 percent. Protecting data that can be exploited for financial or competitive gain is critical across the business—cybercriminals can use malware to penetrate into an organization even through employees who have no contact with the financial or customer side of the business. All employees, regardless of their role, need to be vigilant not to click on anything suspicious and not to give away credentials. Although phishing attacks have become more sophisticated, quality training can mitigate this risk.
Cyberattacks on Data Sensitive Industries
Although organizations of all sizes and in all industries are at risk for cyberattacks, certain industries may be more prone to an attack. For example, of all the industries analyzed, healthcare was the only one in which the number of incidents caused by insiders (59 percent) was greater than those caused by external actors. Security awareness in healthcare is particularly important because patient data is governed by a host of regulations and guidelines.
Likewise, industries such as financial services and manufacturing are also bigger targets for attacks and data breaches, and may also be subject to more stringent data security requirements. In these industries, proper training, including training on specific compliance responsibilities, takes on added importance.
Finding an Effective Training Partner
Working with an effective training partner should be part of your overall program to defend against and respond to cyber threats. This partner should stay on top of the latest trends and developments and is able to incorporate expert knowledge into their products as well as provide meaningful guidance to an organization’s leaders. Understanding the increasing threats allows organizations to better allocate resources.
A training expert can help develop or simply refocus an organization’s training strategy based on the most current cyber-related threats and can tailor security awareness training to suit unique business needs.