4 Takeaways from Verizon's Data Breach Investigations Report: Wising up to Phishing?

4 Takeaways from Verizon’s Data Breach Investigations Report: Wising up to Phishing?

Written by James Anderson
May 8, 2019

Employees are getting smart about phishing, but their bosses? Not so much.

“Why don’t we skip all the hard hacking and just, you know, ask for the money?”

That simple mindset drives cybercriminals to con executives into unwittingly handing over precious data, according to the 2019 Verizon Data Breach Investigations Report (DBIR).

The likelihood of senior executives succumbing to social breaches was nine times more likely than in previous years, according to the study. Many of these breaches could have been prevented with rudimentary security protocol, according to Gabe Bassett, the senior information security data scientist on the Verizon Security Research team.

Hi y’all. Today I get to share the 2019 @VZDBIR with you: https://t.co/JwybL24WpT It’s been 6mo and 73 contributors in the making. If you haven’t heard of it, it’s a data driven report on the incidents and breaches from the last year. We hope it helps you improve your defenses!

— Gabe The Engineer (@gdbassett) May 8, 2019

Verizon unveiled results from its 2019 Data Breach Investigations Report Wednesday. The data shows the demographics of both attackers and victims shifting. Below are four interesting findings.

Verizon’s Gabe Bassett

Phishing for Execs

The C-suite saw a target on its back in the last year, getting particularly hammered in the professional services industry, where they accounted for 20 percent of the compromises.

Bassett said social pretexting – better known as phishing – is a chief strategy that turns your boss into a sucker. Most cases of phishing saw the threat actor exploit a person using a link or an attachment. The attachments are typically macro-enabled Microsoft Office documents or Windows executables.

Businesses should have policies in place to filter out a significant portion of these attacks.

Source: Verizon Data Breach Investigations Report

“The reality is, no one’s getting their software updates by email,” Bassett said. “So block Windows executables at the mail gateway. Block macro-enabled Office documents at the mail gateway. Block links at the mail gateway and let people go in and say, ‘Yes, this is something I was expecting.'”

But there’s great news on the phishing front: Employees are catching on. Click rates in phishing exercises dipped below 3% this year, according to the study. Thirty-two percent of breaches involved phishing last year, according to the report, so businesses may be rising to the challenge of one of the most popular threat actions. Your move, bad guys.

A Shift in Perpetrators

Outsider threats remain most prevalent, but we’ve seen a slow but consistent changing of the guard over the last few years. Outsiders perpetrated 75% of breaches in 2017, with inside actors involved in 25% of them. The ratio turned to 73-28 in 2018 and sits at 69-34 in 2019. That doesn’t mean the insiders have malicious intentions, but as we discussed in the previous paragraph, even the most well-intentioned employees can be complicit in a breach if they lack the proper education and protocal.

SMBs Drop

Small and medium-size businesses accounted for a smaller percentage of breaches than in previous years. Bassett and the Verizon team didn’t discover any clear drivers, but the results are quite suggestive.

Forty-three percent of the breached companies in the latest report are categorized as SMBs. That’s still a staggering number, but it represents a decrease of sorts. We wrote in 2017 that the number was 61%. The percentage dropped to 58 in 2018.