While we publish multiple research reports every year, we value the insights of other players in our and adjacent market spaces via the reports they publish that we have absolutely nothing to do with. One of those is Verizon’s annual Data Breach Investigations Report (DBIR), published this year in June. Get yourself a copy and also watch the webinar on the report that we participated in with IRONSCALES.
One of the findings from this year’s DBIR that made Verizon’s top three highlights is that 74% of breaches involve the human element, which includes social engineering attacks, errors or misuse. A search for the phrase “human element” in the report returns hits on three pages:
Page 8 – an expanded version of the highlight above, with the additional context after the comma saying “with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.”
Page 14 – an explanation of the “social” action category, defined as “employ[ing] deception, manipulation, intimidation, etc., to exploit the human element, or users, of information assets.” There’s also a definition of the Error category (“incorrectly or inadvertently”) and Misuse (“any purpose or manner contrary to that which was intended”).
Page 34 – on the final page of the four page deep dive into social engineering incidents (pages 31-34), there’s this line – “Due to the strong human element associated with this pattern, many of the controls pertain to helping users detect and report attacks as well as protecting their user accounts in the event that they fall victim to a phishing lure.”
What does this mean for organizations?
1. Having controls in place to protect your users from compromise is essential. Creating opportunities for manipulating human weakness is the most common pathway by which external threat actors score a successful breach. Many of the controls listed on page 34 link to strong identity security solutions and processes.
2. The DBIR says there were 1,700 social engineering incidents in this year’s data set (page 31), 928 of which had confirmed data disclosure (breaches). That’s a breach rate of 54.5% (my data analysis). That means 45.5% of attempted incidents did not lead to successful breaches … hopefully because of the strength of detection and prevention solutions deployed at organizations. Improvement is needed here.
3. By contrast, the DBIR says there were 602 miscellaneous errors (misdelivery, misconfiguration, publishing errors) caused by insiders (in 99% of cases), 512 of which had confirmed data disclosure. See page 40. That’s a breach rate of 85.0% (my data analysis) – significantly higher than the social engineering type driven by external threat actors. By implication, controls to detect and prevent such incidents and breaches are significantly less effective than for the social engineering type. Even more improvement is needed here.
Leave a Reply