Key Takeaways From The 2019 Verizon Data Breach Investigations Report
July 15, 2019
Each year, Verizon releases an in-depth report analyzing an extraordinary number of security incidents in an effort to illustrate the landscape of cybersecurity over the past year. The 2019 report features an analysis of 41,686 security incidents and 2,013 confirmed data breaches. In Verizon’s own words, “[The report] looks at how results are changing (or not) over the years, as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches.”
This valuable report sheds light on the shifting threat of security incidents and how, overall, these threats are impacting organizations of all sizes and industries. The most substantial finding of the 2019 report is this: There’s no industry that’s immune to these threats.
In the past, security threats were perceived to only be a risk of high-value targets with financial transaction or personal identity information. Hospitals, insurance companies, healthcare organizations, and financial institutions were the primary targets for attacks because of the sheer volume of information and substantial financial resources. Now, the 2019 Verizon Data Breach Investigations Report uncovered a shift in the pattern among the security incidents, which suggests it no longer matters who the organization is, what industry they’re in, or the size of the organization.
Small businesses are rapidly becoming the target of choice, so much so that they made up 43-percent of all security incidents analyzed from 2018. The shift has major implications for small and mid-sized businesses who previously went largely unbothered. More than ever, these organizations need to be aware of the threats and take active steps to protect themselves. For any organization to not take the time to address the threat and risk level of their organization would be irresponsible at this point in time. Security has gone from important to imperative.
Although hacking receives most of the attention when it comes to breaches – partially because it features in 52-percent of attempts – phishing remains one of the largest risks for small businesses. Phishing is often mistakenly grouped in with hacking, but organizations need to pay close attention to the definitions of both, particularly when it comes to understanding cyber insurance. Generally speaking, hacking is defined as using exploits to gain access to something, while phishing is more indicatively defined as a threat masquerading as a trustworthy source in an attempt to bait an individual to hand over sensitive information.
The ever-present threat of phishing attempts in conjunction with the rise of threat actors targeting smaller organizations has led to an evolution in strategic planning for cyber security. Based on the detailed findings in the 2019 Verizon Data Breach Investigations Report, we have assembled five critical practices to bolster an organization’s security from cyber threats:
- Cyber Insurance – Insurance policies protect organizations from possible data or security breaches and are becoming the norm for companies big and small. Cyber insurance is the best way for companies to be protected if a breach is successful. Breaches can have massive financial implications, and an insurance policy is a good way to offset that substantial cost. However, it cannot be stressed enough how important it is for businesses to read and understand the intricacies of the policy. As mentioned earlier, insurance companies make a distinction between hacking and phishing, for one important reason: some insurance companies don’t consider phishing to be hacking, and therefore may not be covered under the policy.
- Education and User Awareness Training – Because phishing is among the main threats to small businesses, focusing education and training efforts in this area is key. If a business’ employees are able to correctly identify phishing attempts, the risk is greatly minimized. The vast majority of phishing attempts are done via email – more than 90% according to the report – so efforts on email identification like knowing how to recognize external emails or fake portals will cut down on the success rate of phishing threats. Most email providers like Microsoft Office 365 have a suite of tools included (or at little cost) that aide in this sort of detection, but many of these functions are not enabled by default and it is critical that these tools are setup correctly to increase security without impacting employee productivity.
- Security System Audits – Performing regular system and process audits in place is a great way to test the strengths (or weaknesses) within a business. An audit will help identify any gaps in the current process and provide an opportunity for the business to remedy the problem. Audits don’t have to be a massive undertaking. Simple departmental or process audits over time are all it takes to ensure a business is operating at a lower threat risk.
- Multi-Factor Authentication (MFA) – One of the simplest and most effective security practices a business can implement is MFA. It is a security system that requires more than one method of authentication (more than just a single password) from independent credentials in order to confirm the user’s identity. With MFA in place, even if the initial phishing attempt is successful, the threat actor still won’t be able to enter the system because they won’t have the second form of authentication.
- Device Encryption – Encryption is the most effective way to achieve physical security of data. All it entails is locking the files and data on a device using a secret password or code. If data is unencrypted, anyone who comes into contact with a device can gain access to the files without much effort. With encrypted devices, accessing the same data becomes much more difficult. If a threat actor were initially successful in their attempt and all they encounter is encrypted data, the information is not very useful to them.
These 5 items are attainable for organizations of all sizes to implement both from a cost and effort perspective. Additionally, they dramatically decrease your organization’s risk profile.
Learn more about how you can enhance your cybersecurity program to address your organization’s biggest risks and set the foundation for more dependable performance and long-term success. If you have any questions – please contact our Technology Advisory Team.