Company insiders behind 1 in 4 data breaches – study

Ransomware, external hackers dominate 2018 probe, natch

The admins among you will be unsurprised to discover that, more than a quarter of the time, data breaches across the world originated between the chair and the keyboard of organisation "insiders". And no, we don't mean they clicked on a dodgy link...

The latest edition of Verizon's Data Breach Investigations Report (DBIR) found that 25 per cent of all attacks over the year were perpetrated by said insiders and were driven largely by financial gain, espionage and simple mistakes or misuse.

It also reports that organised criminal groups continue to be behind around half of all breaches, while state-affiliated groups were involved in more than one in 10. Financial gain, unsurprisingly, continued to be the top motivation for cybercriminals.

The healthcare industry was found to be at particularly high risk of insider threats through errors and employee misuse – such as medical workers accessing patient records for simple curiosity or fun.

Verizon notes that organisations face a rising number of external attacks, increasingly carried out by organised criminals.

The scourge of ransomware increased throughout the year. Ransomware incidents more than doubled again this year compared to last year's DBIR.

Ransomware is the most common type of malware, turning up in 39 per cent of malware-related data breaches – double that of last year's DBIR, and featuring in more than 700 incidents. Verizon's analysis show that attacks are now moving into business critical systems, encrypting file servers or databases, inflicting more damage and commanding bigger ransom requests.

Companies are nearly three times more likely to be breached by social attacks than via actual vulnerabilities, emphasising the need for ongoing employee cybersecurity education.

The report notes a significant trend in social-engineering and "pretexting" attacks targeting finance and HR departments, with nearly 1,500 incidents and nearly 400 confirmed data breaches reported. In these attacks, hackers may seek to convince finance departments to make a transfer of funds by posing as a company CEO.

Human Resource (HR) departments across multiple verticals are also being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.

Financial pretexting targeting HR departments has more than doubled since the 2017 DBIR, with 170 incidents analysed this year (compared to just 61 incidents in the 2017 DBIR). Eighty-eight of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns.

Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20 per cent people still click on at least one phishing campaign during a year.

Denial-of-service attacks also remain a problem. DDoSing can impact anyone and is often used as camouflage, often being started, stopped and restarted to hide other breaches in progress, Verizon warned, adding that such attacks are nonetheless manageable providing the correct DDoS mitigation strategy is in place.

The majority of attacks were perpetrated by outsiders; 27 per cent involved internal actors; 2 per cent involved partners; and 2 per cent feature multiple partners. Organised crime groups still account for 50 per cent of the attacks analysed.

Over two-thirds (68 per cent) of breaches took months or longer to discover.

Verizon's latest DBIR offers an analysis of over 53,000 security incidents and 2,216 breaches across 65 countries. The report draws its findings from an analysis of real-world data breaches investigated by Verizon and an extensive range of third-party contributors during the last 12 months.

Regular contributors to the study – now in its 11th edition – include the likes of the US Secret Service, UK legal services firm Mishcon de Reya, UK insurer Chubb and the Irish Reporting and Information Security Service (IRISS CERT) among others.

Biggest risks per industry

This year's report highlights the biggest threats faced by individual industries, alongside guidance on what companies can do to mitigate these risks.

  • Education – Social engineering targeting personal information is high, which is then used for identity fraud. Highly sensitive research is also at risk, with 20 per cent of attacks motivated by espionage. 11 per cent of attacks also have "fun" as the motive rather than financial gain.
  • Financial and insurance – Payment card skimmers installed on ATMs are still big business; however, there's also been a rise in "ATM jackpotting", where fraudulently installed software or hardware instructs the ATMs to release large amounts of cash. DDoS attacks are also a threat.
  • Healthcare – The only industry where insider threats are greater than threats from the outside. Human error remains a major contributor to healthcare risks.
  • Public Sector – Cyber-espionage remains a major concern, with 43 per cent of breaches being espionage motivated. However, it is not only state secrets that are a target; personal data is also at risk.

®




Biting the hand that feeds IT © 1998–2018