This site runs best with JavaScript enabled

No More Mr. Nice Guy

small logo
A broad view of activity in the cyber world can help you to focus your resources as well as provide you with the basis of a scorecard compared to others. Verizon just released their 2019 Data Breach Investigations Report and it is worth a read for guidance it can provide. Here are a few of the things that we found of interest along with some of our comments.

A broad view of activity in the cyber world can help you to focus your resources as well as provide you with the basis of a scorecard compared to others. Verizon just released their 2019 Data Breach Investigations Report and it is worth a read for guidance it can provide. Here are a few of the things that we found of interest along with some of our comments.

  • Of the just over 17,000 cyber incidents that were reported, the most common attack (more than 60%) was a denial of service event (DoS). While these rarely lead to a breach, they can cause significant financial damage as they can make your business virtually inaccessible from the internet. One can buy protection from DoS attacks from many vendors or handle it internally with appropriate hardware. DoS defence can be reasonably priced; requires very little effort beyond writing a check (if you buy it as a service); and is extremely effective. If you don’t have it in place, you should certainly consider it.
  • Organisations are making great strides with awareness training. The “click rate” from phishing emails has been dropping each year. It has gone from 25% in 2012 to less than 3% last year. Unfortunately, phishing was at the root of almost 40% of all breaches last year which suggests that even three percent is dangerous*. There is still room for improvement. Training is helping, but it is not reasonable to think you will ever be perfect. Anything you can do to eliminate phishing emails before they reach employees or block the links in them appears to have a great potential benefit.
  • When we talk about security awareness training, we think about teaching people to be wary of other people. Yet a surprising amount of loss came from human error such as emailing data to the wrong person or failing to follow defined instructions when configuring hardware or software. Perfection may not be achievable, but periodically reminding people of the costs of these oversights could improve their focus.
  • We must have exhausted everything that can be said or written regarding passwords. Despite all of that, more than 60% of hacking involves the use of stolen credentials. It would be far more interesting if data breaches had clever plots like “Ocean’s Eleven”, but most are closer to “Dumb Criminals: The Movie”. Much of the time we just make it too easy to gain access. Awareness training along with well-thought-out password policies, including multi-factor authentication, should be high on everyone’s list for potential improvements.
  • The report slices and dices data in many ways, presenting a number of valuable insights. Though it is particularly helpful in identifying trends, sometimes it is impossible to determine the cause of those changes and thus the action you should take. For instance, the percentage of breaches involving third parties is declining while internal losses are increasing. Is that because we are paying more attention to security with our business partners or because we are failing to pay attention to what is happening inside our network? Either way it tells us that we need to focus more on our internal processes.

As we wrote about last week, having a broader view of metrics in the cyber security world is an important step to help measure your past performance as well as to guide your future spending. This report and others are available for free and something you should take advantage of.

* As this is being written news came out about a $41 million theft from a cryptocurrency exchange. The crime originated with a phishing attack.

About the authors

Karen Wong