Human error is responsible for most data breaches as decision-makers refuse to take cybersecurity training seriously, the annual report by Verizon suggests.
The Data Breach Investigations Report (DBIR) found that “error” was responsible for 13% of the overall breaches, while 82% involved the “human element.”
“It is important not to victim-blame here,” said Rick Holland of Digital Shadows, which contributed to the DBIR. “The role of security should be to implement transparent controls that help our colleagues make the right choices without keeping them from doing their jobs. At a macro level, it isn't the employees who are failing but rather the controls we have put in place to protect them.”
But a culture of mockery among bosses was not helping the cause, he added.
“It is not uncommon for security practitioners to complain about and mock security awareness training,” said Holland, insisting that “training can be engaging and improve your security posture.”
He added: “Is security awareness going to stop all the attacks? Of course not, but even a modest improvement can reduce defenders’ detection and response burden. The fact that email phishing is still a thing should be an indictment on the security industry. Fifteen years into the DBIR, this technique still works.”
Tactics to defend against such cyberattacks include disabling macros, rewriting URLs, and monitoring or “defanging” attachments to ensure a user must copy and paste a link into a browser to visit the connecting site.
The report also highlights the dangers of third-party attacks, with outside sources being far more dangerous to organizations than “inside jobs.”
“The good news is that the same monitoring controls protect against both malicious insiders and outsiders,” said Holland. “Unless it is specific to your threat model, time would be better spent focusing on third-party risk management.”
He added: “The more things change, the more they stay the same. The use of stolen credentials, phishing, and vulnerabilities remains the top way threat actors gain initial access to organizations. Companies are spending billions of dollars on defense, yet these problems persist.”
More from Cybernews:
Subscribe to our newsletter