Yesterday, Verizon released its 2016 Data Breach Investigations Report, which analyzes data from more than 100,000 security incidents, including 2,260 confirmed data breaches.
The big takeaways? Email is the weapon of choice for cybercriminals, phishing is trending up, and it is leading to more data breaches than ever before. To make matters worse, people’s ability to identify a phishing email is declining.
Below, we break down three top insights from the report and offer ideas for combatting this troubling trend.
1. More people are opening and clicking on phishing emails than ever before.
Verizon combined over eight million results of sanctioned phishing tests in 2015 from multiple security awareness vendors and found that:
- 30 percent of phishing messages were opened by the target across all campaigns, up 30 percent from last year.
- 12 percent of users went on to click the malicious attachment or link, up 9 percent since last year.
- Only 3 percent of the targeted individuals reported the phishing email to management.
2. Credentials are the most coveted prize.
Hackers want user credentials more than anything else.
In a study of 905 phishing attacks, the vast majority—91 percent—were after user credentials. Why? Because credentials are the best way to get at the heart of any organization. 63 percent of the confirmed data breaches in 2015 involved leveraging stolen passwords. The ultimate goal of credential access is for financial gains.
3. The majority of data breaches begin with a phishing campaign.
While data breaches do not follow a prescribed pattern, we can identify the most common threat actions involved in their process. Verizon discovered that the vast majority of data breaches begin with a targeted phishing campaign against a vendor.
“The phishing email is being leveraged by opportunistic and targeted attacks,” said Marc Spitler, researcher and co-author of Verizon’s Data Breach Investigations Report. “It is being leveraged by state-affiliated groups and organized crime. It’s leveraging that human aspect of making targets interact with a link or, more often, an email attachment.”
As the graph below shows, phishing campaigns can open doors that establish footholds within the organization and smuggle malware into targeted networks. Stolen credentials are then used to push the breach further into and across networks to gain access to financial data or point-of-sale bank card systems.
“We call this the birth and re-birth of the data breach. The first page of the intruder’s playbook is phishing, but after malware is used to get control over a device, attackers go in different criminal directions within a company’s network,” Spitler said.
These findings bring three key things into light:
- There is no enterprise security without email security.
- Traditional solutions are simply not working.
- End users cannot be the first line of defense when it comes to phishing.
What’s the insecure enterprise to do?
First, we need to strengthen our defenses against email threats via strong email authentication. Recent research by Return Path revealed that currently, only 29 percent of the world’s top organizations are doing so. Ignoring strong email authentication is like being expected to control borders when no one has been issued passports.
Second, we must stop expecting one solution or perimeter defense to solve our email security problems and instead implement a convergence of technologies to protect our enterprise, our customers, and our bottom-line from email fraud.
Third, people should be our last line of defense—not our first. Of course, that’s not to say we shouldn’t invest in that line of defense, but technology should be our first line of defense or we are asking for trouble.
To learn more about how to defend your company from spear phishing attacks, join our upcoming webinar on May 12, “Spear Phishing: Fighting the Next Generation of Targeted Email Attacks.”