No One Is Immune from Cyberattacks
Personal Information and Credit Card Information Still Top Targets, per Verizon Cybersecurity Report
No industry is “bulletproof” when it comes to cybersecurity measures. The conclusion comes from Verizon’s 2016 Data Breach Investigations Report. The Report analyzed over 64,000 incidents. The 64,000 incidents included over 2,200 confirmed data breaches from across the globe.
The report both analyzed the causes behind the incidents, such as phishing emails, hacks and malware, and recommended solutions to mitigate the risks associated with data breaches. Many of the report’s recommendations should not be surprising, since companies often fail to implement some basic security measures.
Just as the recommendations should not be surprising, so also bad actors’ motivations should not be surprising. The two most significant motives are financial gain and espionage, though the former far outweighs the latter. Financial gain seems to be a motive in roughly 75 percent of breaches, while espionage comes in just under 25 percent.
Because financial gain is the overwhelmingly predominate motive for bad actors, particular industries and types of information bear the greatest risk of attack. Some of the most targeted industries include hotels and retail stores. As the authors state, “this is unsurprising as they process information which is highly desirable to financially motivated criminals.”
With respect to susceptible types of information, bad actors target financial or personal information more than other types of information. Where the types of information sought by bad actors can be collected, Personal Identifying Information, Payment Card Information and Personal Health Information combine to represent about 86 percent of all cybersecurity incidents.
Bad, external actors cause nearly 80 percent of breaches. The remaining 20 percent of breaches are caused by a number of different actors, from partners to other internal sources. In terms of a story, a company is far more likely to face a threat from outside its organization than from inside its organization.
The report is very detailed, analyzing a number of different methods used to steal data or gain unauthorized access. One such method the authors analyzed was phishing.
Phishing occurs when a bad actor sends an email that appears to be from a legitimate source, such as a bank. The email may contain an attachment and/or links to external websites. The email warns of some impending, or discovered, problem, and asks the recipient to click on a link and log into his or her account, or download the attachment. The website is fake and the recipient unwittingly provides the bad actor access to critical personal information.
A number of these phishing attempts are obvious. But sophisticated bad actors will go out of their way to create authentic looking emails and fake websites. Regardless, a number of people both view the emails and either click through the links or download the attachments.
According to the report, 30 percent of phishing emails were opened, and 12 percent of recipients clicked on the malicious attachment or clicked through to the spoofed website. Compare these numbers with the roughly three percent of phishing email recipients who reported the attempt to their companies’ management.
The report’s recommendations to mitigate the risks of cyberattacks range from simple to complex. Some of the simple recommendations include better passwords, good email filtering, and incorporation of multifactorial authentication. Some of the more complex recommendations include establishing patch processes for content management system platforms and third-party plugins, and monitoring outgoing data along with employee cyber-behavior.
No industry is immune from cyberattacks. The number and type of cyberattacks grows every day. Despite this explosion of vulnerabilities, a significant percentage of cyberattacks are predictable and preventable. Because a significant number of cyberattacks are preventable through simple measures, every company in every industry should take reasonable steps to secure customer, consumer, or taxpayer data from bad actors, especially where those reasonable steps are simple.