4 Takeaways from Verizon’s 2017 Data Breach Report

For ten years the annual Verizon Data Breach Investigations Report has been a key resource for anyone wanting to understand trends in network security, and this year’s report is no exception. Here are four important findings.

1. Single factor authentication is just not good enough

Consumers are logging into a multitude of websites with single-factor authentication and providing names, addresses etc. as part of the enrollment process. When millions of people are members of a website and said site suffers a data breach, the word “newsworthy” comes to mind.

And we aren’t trying to throw out these splashy numbers just to get folks riled up for no purpose. There are several reasons why we should at least be aware of these breaches. Obviously, if your organization has an external login for customers or members then you are not wanting for external
forces that are aiming to capitalize by stealing those details. Even if you are not breached, there are armies of botnets with millions (or billions) of credentials attempting to reuse them against other sites. In other words, even though components of authentication weren’t compromised from
you, it doesn’t mean they were not compromised. Again, if you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.

2. Lots of people fall for phishing attacks

7.3% of users across multiple data contributors were successfully phished — whether via a link or an opened attachment. That begged the question, “How many users fell victim more than once over the course of a year?” The answer is, in a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time. 3% of all unique users clicked more than twice, and finally less than 1% clicked more than three times.

3. CEO frauds are on the rise, but can be countered with simple controls

This year’s data features numerous incidents involving the impersonation of an executive to trick someone to transfer money (sometimes six-figure amounts) from the corporate accounts.

Prepend external emails with [External] or [E] or [Not from the CEO!] in the subject header to help detect spoofed messages purporting to be coming from a big wig.

Have a process for approving payments that includes some form of communication other than email.

4. DDoS is an annoyance for big businesses, but now we have to counter TDoS too

When we knew the organization size, DDoS attacks were disproportionately (98%) targeted at large organizations. Most attacks are not sustained for more than a couple of days.

Packet-based DDoS isn’t the only type of DoS around. Telephone Denial of Service (or TDoS) is another attack type made possible by the rise of Voice over Internet Protocol (VoIP) calling systems. Like traditional DDoS, TDoS can be a real threat to organizations. Services exist to help mitigate the risk and are improving with advancements in data science and machine learning. So, just like DDoS, weigh the business impact of not having defenses vs. the cost of acquiring them. If you’re going to need them, it’s better to know how to get them before the attack starts.

Summary

Attacks from external parties were down but were responsible for 75 percent of breaches, whilst there were about the same number of attacks from internal sources as last year. Most breaches were caused by hacking, and most of those hacking attacks were successful because they exploited stolen or weak passwords. Social engineering continues to be a major contributor to data breaches, despite all the effort made to make people aware of social engineering! And, not surprisingly, three-quarters of all data breaches were motivated by financial gain.

It is worth reading the complete 2017 Verizon Data Breach Investigations Report, which is available from here.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.
  • David Morrow

    Thanks Eric, and I’d like to add my takeaway from the report: In July 2016, the National Institute of Standards and Technology recommended moving away from texting codes as a second authentication factor. About time!