Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Verizon 2016 Data Breach Report: "Phishing Tops The List Of Increasing Concerns"

    VDBR_2016.jpgVerizon yearly does a comprehensive report on security and data breaches. It is excellent ammo to get budget approval for new-school security awareness training.

    Why? Hundreds of security threat reports come out every year from all kinds of IT security companies. Most of these reports focus on a single type of threat that the author of the report conveniently offers protection against, and basically are thinly veiled marketing pieces.

    Verizon's Data Breach Investigation Report is different. They create it together with 67 other organizations. To name a few well-known participants: the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, Kaspersky Lab, Cisco Security Services, EMC and many others. The 85-page report covers many areas of security for which Verizon doesn't sell products. I'm highlighting their insights about phishing.“This year’s study underlines that things are not getting better,” said Laurance Dine, managing principal of investigative response at Verizon Enterprise Solutions. He deadpans:
    "Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff. The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds. The median time to the first click on the attachment was 3 minutes, 45 seconds, thus proving that most people are clearly more on top of their email than I am."

    One area that has picked up dramatically over the prior year is phishing. Alarmingly, 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link.

    Dine said: “User security awareness continues to be overlooked as organizations fail to understand that they need to make their employees the first line of defense,”

    “Organizations should be investing in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious,” he said.

    For this reason, Dine said it is important for organizations to have the processes in place that make it easy for employees to report security issues.  Here is a no-charge tool that you can download to do just that:
    https://www.knowbe4.com/free-phish-alert

    The Rise Of The Three-Pronged Attack

    This year's report calls out the rise of a new three-pronged attack that is being repeated over and over again by cybercriminals. Many organizations are falling prey to this type of attack. The three-prongs are:

    1. Sending a phishing email with a link pointing to the malicious website, or a malicious attachment.
    2. Malware is downloaded onto an employees' PC that establishes the initial foothold, and additional malware can be used to look for secrets and internal information to steal (cyber-espionage) or encrypt files for ransom. Many times the malware steals credentials to multiple applications through keylogging.
    3. Use of the credentials for further attacks, for example, to log into third-party websites like banking or retail sites.

    2016 Report Reiterates The Need For The Basics

    The researchers note that basic, well-executed measures continue to be more important than complex systems. Organizations should check to make sure they are taking care of these things:
    • Know what attack patterns are most common for your industry
    • Utilize two-factor authentication for your systems and other applications, such as popular social networking sites.
    • Patch promptly.
    • Monitor all inputs: Review all logs to help identify malicious activity.
    • Encrypt your data: If stolen devices are encrypted, it's much harder for attackers to access the data.
    • Know your data and protect it accordingly. Also limit who has access to it. 
    • Train your staff: Developing security awareness within your organization is critical especially with the rise in phishing attacks.

    The full "Verizon 2016 Data Breach Investigations Report," is available on the DBIR Media Resource Center, and again as said is excellent budget ammo. You need to register but it's worth it:

    http://news.verizonenterprise.com/2016/04/2016-data-breach-report-info/

     

    Return To KnowBe4 Security Blog

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews