The Verizon DBIR is one of the annual scriptures read by data security enthusiasts worldwide, and this year’s offering is no different.
The report is packed full with meticulously-gathered, mind-blowing statistics, and yet presented in a light-hearted tone with pop culture references ranging from gangster rap to Disney musicals.
Here are a few highlights from the DBIR 2015 we found to be the most interesting.
While phishing is nothing new or unfamiliar, some findings released in the DBIR were interesting, to say the least. To further evade detection, phishing campaigns have evolved to incorporate installation of malware as the second stage of the attack.
Just how well does phishing work?
Today, a glaring 23% of phishing email recipients open phishing messages, and 11% of them click on attachments. Of the 23% who opened the emails, half of them did it within an hour of receiving the email. A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will fall victim to the scam. Not only do phishing emails work well, they work fast. The median time it takes for the first click to come through is 1 minute, 22 seconds.
Can Phishing Emails Be Stopped?
In the light of such discouraging statistics, it’s hard to see the point in investing in data security. Why should you spend large amounts of money on antiviruses and firewalls, if it’s so incredibly likely that one negligent employee making one false click is going to bring your walls crashing down?
The good news is, there are a few ways to help prevent the risk of getting hooked. The DBIR recommends better email filtering, to help filter out phishing emails that make it into user in-boxes. Also encouraged is acquiring improved detection and response capabilities. However, the most effective way cited is through awareness and training, which can reduce the number of people that fall victim to a phish to (potentially) less than 5%.
Common Vulnerabilities and Exposures (CVEs)
In late 2013, a list of the 500 most common vulnerabilities and exposures was made. Looking back on that list, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published. Worse still, hackers are exploiting vulnerabilities from as far back as 1999, which shows that they are aware that these old exploits are still an easy way into many systems.
Patch Hard, Patch Fast
There is a clear need for all organisations to patch vulnerabilities as they come, and to do so quickly.
While it’s true that some vulnerabilities are more high-priority than others (97% of the exploits observed in 2014 were caused by just ten of the 500 CVEs listed), you cannot call your network secure unless you are certain it has zero vulnerabilities to exploit.
Make sure that your company has in its employ someone to stay on top of what the latest vulnerabilities and threats are, and is able to quickly apply patches when necessary. Aside from phishing attacks, vulnerability exploits are some of the easiest ways for hackers to gain access to your systems. To quote the DBIR directly: “[there is a] need for all those stinking patches on all your stinking systems.”
- 5 malware events occur every second.
- Mobile devices are not as at risk as we thought- only 0.03% of mobile devices are infected with truly malicious exploits.
- Verizon seems to have given up on trying to figure out the cost per record in data breaches. Instead they have developed this table which gives a rough estimate on how much you can expect to spend on a data breach based on the number of records you lost:
Another Year, Another Great Report
This year’s DBIR, as usual, did not disappoint. A lot of the findings have been game changing- IT security professionals are going to be less likely to bring up the cost per record in a data breach, or talk about the dire need for mobile data security. But regardless of how such statistics may change, good data security practices remains a constant. In other words: keep up to date with the latest trends, and understanding your data.
While we did pick out our favorite parts of the Verizon DBIR, pretty much all of it is interesting and worth a read, which you may do so here.