Proper cybersecurity hygiene naturally and appropriately falls on IT discussions and technical matters. Patch software frequently. Maintain firewalls. Adopt zero trust systems. Nuts-and-bolts, mechanical issues that limit data network vulnerability and the amount of damage bad actors can do.
But your biggest weak spot is organic, not digital. It’s built from flesh and blood, not silicon and ones and zeroes. Your employees present the largest holes in your cybersecurity system and arguably the most difficult ones to plug.
Verizon this week released its 2024 Data Breach Investigations Report (DBIR), based on analysis of over 30,000 incidents (compromised security), over 10,000 of which resulted in data breaches, that took place between November 1, 2022, and October 31, 2023.
To give you an idea as to the richness of Verizon’s 2024 data set, last year’s report concerned over 16,000 incidents and a little over 5,000 breaches.
The report provides helpful definitions of cybersecurity industry terms, details the worst of the bad actors, the routes they use to break into data systems and the tactics they employ most successfully.
Last year we focused on what the report had to say about why manufacturers present such a juicy target for cyberattacks: they tend to pay out. Now, the SEC has put a very large exclamation mark on the financial ramifications of bad cybersecurity hygiene, so we don’t need to.
This year we’re stepping into the weeds with DBIR in hand to look at the single largest cybersecurity vulnerability that all of our readers deal with because if you don’t have a handle on it, the world, and most importantly investors, will find out if you have to file that Form 8-K.
Why People Are the Problem
According to the DBIR, the number of data breaches last year involving a human element is the same number reported last year, 68%. The problem hasn’t gotten worse but it hasn’t gotten any better, either.
“Unfortunately, many organizations still don't take addressing the human element seriously, and instead feel that they can rely on technical controls. Simply put, there are no technical controls that are 100% effective, similarly humans, even those trained well, will sometimes make mistakes. It takes a combination of both technical controls and the human element to address the modern threats,” says Erich Kron, security awareness advocate at KnowBe4.
Social engineering represents the second-most-common cause of cybersecurity breach suffered by DBIR respondents in 2023, underneath system intrusions.
The phishing problem, tricking people into clicking links that lead them to malicious websites and open doors for malware to infect a system, continues to grow. According to the report, 31% of social engineering-based incidents involve phishing, and the average amount of time it takes for someone to fall for a phishing email is less than 60 seconds.
To put it another way, if people spent more than a mere minute wondering why they’re being asked and by whom to click a link, fewer people might fall for it.
Pretexting accounts for 40% of social engineering-based incidents in total. A bad actor pretends to be someone trustworthy, like a superior or a member of the IT team, gains the user’s trust and convinces them to share their login credentials.
“Almost all companies (and organizations such as education, non-profits, local governments) conduct cybersecurity awareness and education programs which sometimes include attack simulations that test the employees’ ability to identify an attack and correctly respond to it. Almost all of these awareness and simulations programs focus entirely on phishing attacks only,” says Dror Liwer, co-founder of cybersecurity company Coro.
Fear of not following emailed instructions from bad actors masquerading as superiors can push employees into giving away credentials. Management needs to make sure employees know the company has their backs when it comes to exercising caution.
“When training and educating people, making sure [they] know to look for emotional triggers such as urgency or fear, or even empathy, and teaching them how to say ‘no,’ or ‘not until I verify some things’ in a polite and professional way can help empower people to push back against these sometimes aggressive tactics used in social engineering attacks. If employees know that their leadership will back them up if they need to confirm something before taking action, it can hugely help people not be afraid of being assertive back to potential attackers,” says Kron.
Preventing the Big “Whoops”
According to the report, external actors—read: the cybercriminals employing techniques like phishing and pretexting—cause 65% of incidents. But internal actors—the people that work for your company and have legitimate access to your data—now account for 35% of all incidents, up from 20% last year.
Not all internal actors cause cybersecurity incidents out of malice. Sometimes employees make innocent mistakes with larger security ramifications they don’t understand.
The number of cybersecurity incidents based on miscellaneous errors increased substantially from last year’s report, though Verizon notes the increase may owe to the increased size of this year’s data set compared to last year’s and the level of data visibility shared by newcomers.
Misdelivery, sending something to the wrong recipient, accounts for 50% of all cybersecurity incidents involving miscellaneous errors, the same top category in last year’s report. Pay attention to the “to:” field on your emails.
The type of employees responsible for miscellaneous errors changed markedly from 2023, however. End users account for 87% of these mistakes, and last year’s report only laid the blame on end users for 20% of incidents caused by error. The IT department in 2024 only takes credit for 11% of error-based incidents.
“Organizations [must] foster a relationship between managers, security teams and employees, where employees feel comfortable reporting mistakes they may have made. Even in the case of honest mistakes, the quicker the problem is reported, the quicker the mistake can be mitigated or corrected. Far too many organizational cultures punish honest mistakes in ways that the employees will try to cover up the error, rather than asking for help to fix it,” Kron says.
Disgruntled Employees Put Cybersecurity at Risk
This year, when reporting the problem homo sapiens presents to the integrity of your data, the DBIR separates out human-based breaches that involve “privilege misuse,” like an upset employee with legitimate access to systems. It can’t just be the HR department keeping an eye out for alienated employees.
“There are often signs when insiders become malicious and go rogue. … Leaders and managers, as well as coworkers, should be watching for odd behaviors or attempts to access systems or information they normally don't need in the course of their duties,” says Kron.
Liwer wants companies to know that digital observation, not just listening for complaints or watching for insubordination, also does matter.
“Monitor abnormal behavior. Use behavioral cybersecurity tools to identify unusual patterns in data access, downloads, exports, etc. The likelihood of such behavior being associated with malicious intent is extremely high, and as such must be flagged and responded to immediately,” he says.
Third Party Users Also Need Watchful Eyes
Recognizing the danger of human cybersecurity swiss cheese also matters when considering the danger presented by partner companies with access to your network. According to the 2024 DBIR, 15% of all data breaches involved a third party, up from 9% in 2023. That’s a 68% year-over-year increase.
Kiran Chinnagangannagari, chief product and technology officer at Securin, says companies have plenty of standard methods by which to assess third parties’ cybersecurity hygiene, like the NIST Cybersecurity Framework.
“These frameworks outline the best cybersecurity practices and allow for self-assessment. These questionnaires could cover topics like network segmentation and access controls, patch management and vulnerability management practices, authentication and authorization practices, data encryption and storage practices, incident response and disaster recovery plans to name a few,” Chinnagangannagari says.
Paul Kivikink, vice president of product and alliances at Comcast Technology Solutions, DataBee, says assessing cybersecurity risks presented by third parties presents an ongoing effort.
“Thankfully, in most enterprise organizations, assessing the security hygiene of a third party has become standard practice and part of doing normal business. Where this needs to evolve is moving from assessing a third party’s risk at a single point in time to a more continuous model to managing risk. There’s no doubt this is a hard problem, and there are more automated technologies that are bridging this gap. But as we’ve seen in many breaches, the additional human element of managing risks from contractors, partners and vendors continues to be a multi-faced challenge for many organizations,” Kivikink says.
Focus on Manufacturing
The manufacturing sector comes in fourth for total cybersecurity incidents, underneath the public administration, finance and professional sectors and comes in fifth for breaches under the education, professional, healthcare and public administration sectors. Sometimes not running at the head of the pack is a good thing.
System intrusions and social engineering compose the top two attack patterns against manufacturers. Financial motivations overwhelmingly drive bad actors in 97% of cyberattacks.
Only 25% of the attacks against manufacturers involve stolen credentials, good news that does not, however, lessen the need to guard against the human element. Ransomware was involved in 35% of attacks against manufacturers because, like we reported last year, they do tend to pay up if that means keeping the lines moving.