Insights from Verizon 2020 Data Breach Investigations Report: Top 5 actions to decrease human risk

Elevate Security is a proud contributor to this year’s Verizon 2020 Data Breach Investigations Report (VBDIR). “The more things change, the more they remain the same” is the theme we’ve designated for this year’s report. Our team took a deep dive into the report – all 119 pages, and compiled key takeaways with a specific focus on human risk and how it could impact your defensive (and offensive) strategy moving forward.

What has changed since 2019?

Not much has changed since the 2019 VDBIR. Attackers are leaning into the approaches that require the least amount of effort and yield the greatest results – phishing and using stolen credentials. While breaches caused by phishing (22%) or stolen credentials (37%) are down slightly from 2019 (at 22%) it is notable 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

What has stayed the same?

Human risk from internal attackers remains substantially low in comparison to external actors (page 10) yet, errors are the only action type that continue to increase in frequency year to year. Errors were “causal events in 22% of breaches.” Financially motivated social engineering (FMSE) is keeping “error” company because it too is increasing year-over-year.

Attackers (are lazy, we all know this) prefer short paths and rarely attempt long paths. The proof is on page 31. Here are some helpful at-a-glance human risk stats (found on page 7).

• 22% included Social attacks

• 17% involved Malware

• 8% of breaches were Misuse by authorized users

Top Recommended Controls:

The top controls identified by 2020 VDBIR is to “implement a security awareness and training program”. It is also important to note that the report indicated (which is also our favorite quote),

“In the past, we have observed that security awareness training can help limit the frequency and/or impact of phishing attacks. However, in some instances, this training appears to be either not carried out at all or delivered in an insufficient or inadequate manner. Whatever the reason, telling employees not to click phishing emails can be as effective as yelling “ear muffs” when you don’t want your child to hear something unpleasant.”

So what does this mean? It’s time for the industry to take a new approach to solve these top risks. Attackers take the path of least resistance which is often through users. Here are the top five actions that need to improve in your enterprise if you want to decrease human risk (in no particular order):

• Increasing phishing reporting
• Drive adoption of strong authentication
• Increase malware detection rates
• Install and use password managers
• Decrease Sensitive data handling incidents