Stu Sjouwerman of KnowBe4 digs into the findings from the data breach investigations report by Verizon to explain why securing the human element is still imperative for organizations.
Verizon’s recently published data breach investigations report (DBIROpens a new window ) reaffirms that the human element remains a significant factor in data breaches, accounting for most incidents. This percentage echoes findings from previous years, highlighting the persistent importance of securing the human element within organizations.Â
The report identifies stolen credentials, phishing attacks, and vulnerability exploitation as the primary threat vectors for initial system access, all involving some form of human error. Social engineering — manipulating people to coerce them into sharing data or credentials — is on the rise, with cybercriminals increasingly using tactics like pretexting to trick users into sharing sensitive data. Additionally, misconfiguration errors and lost or stolen devices contribute to breaches.Â
To address these challenges, organizations must implement a multi-layered security strategy that combines training, policies, and security controls to “people-proof†their systems and processes. With a proactive approach to cybersecurity, organizations can transform human weaknesses into an asset for maintaining robust security.
The DBIR yet again highlights that the human element is the root cause of 74% of all breaches, either through some kind of error, privilege misuse, use of stolen credentials or social engineering. Similar findings were also reported last yearOpens a new window (82% of breaches) and in 2021Opens a new window (85% of breaches).
See More: Cybersecurity and AI/ML, Before the New Age of AI: Insider Risk
Stolen Credentials And Phishing Reign As Top Attack Vectors
The term “initial access†describes a method cyber criminals use to enter organizations. Once threat actors have initial access, they can look for ways to hijack or compromise systems, install and spread malware, conduct espionage or move laterally across other systems, devices, and networks. Â
Per DBIR research, the three main ways threat actors are gaining initial access into organizations is via stolen credentials (49%), phishing (12%) and exploiting vulnerabilities (5%). These three access points involve some kind of human error. A user gets phished because the attacker dupes them; credentials get leaked or stolen because three out of four usersOpens a new window use poor password practices; vulnerabilities are frequently exploited due to a lack of frequent patching and poor vulnerability tracking.Â
Social Engineering Keeps Growing, Becomes More Lucrative
Even as organizations continue to invest moreOpens a new window in security technology, criminals are finding new and easier ways to circumvent these controls using human-oriented attack vectors, namely social engineering. Social engineering refers to manipulating people where cybercriminals coerce them to open an attachment, respond to an email, click on a malicious link, and trick them into sharing credentials or sensitive data. Verizon reports a steep rise in social engineering incidents, with an average of $50,000 stolen from victims.
Pretexting Now More Prevalent than Phishing
Although 44% of social engineering attacks involve phishing, Verizon noted half of all attacks use pretexting. Pretexting is a type of spear-phishing attack where cybercriminals hijack existing email conversations and go to extra lengths to trick users into believing that the message is indeed from someone they know. This trend, combined with the revelation that 97% of cyber-attacks are financially motivated, indicates that phishing, in all probability, is set to become more advanced, more targeted and much more sophisticated.
Misdelivery and Misconfiguration Errors Abound
The Verizon report cites human errors such as misdelivery (sending something to the wrong person), publishing errors (showing something to the wrong audience), as well as misconfigurations (configuration errors made by security teams in software and systems), are responsible for about 10% of all breaches. While 83% of incidents involve external threat actors, 19% of incidents are caused by internal actors, either through misuse (intentional or unintentional) or a simple human error. Regular employees did not make these errors; they were made by technical staff (systems admins and developers) that are supposed to have more security maturity than others.Â
Lost And Stolen Devices: An Ongoing Risk
According to the DBIR, lost (accidentally leaving your laptop or work phone at a train station) and stolen devices (theft) are common and a trend not likely to fade away due to mobile devices’ sheer size and portability. The report further states that while stolen devices certainly represent a major risk, employees are more likely to cause a data breach by accidentally losing a device. Once again, the element of human error here is clear as day.Â
What Can Organizations Do To People-proof their Systems, Security and Processes?
It’s impossible to mitigate human error through security systems alone. Top people-proof systems and security organizations must deploy a multi-layer strategy that includes a combination of security controls, security training as well as policies and procedures. Typical security controls include things like privileged access management, firewalls, anti-spam, endpoint detection and response, and phishing-resistantOpens a new window multi-factor authentication.Â
When it comes to social engineering, rapid detection and response are key, and this is where secure human behavior can really shine. To develop a security culture, employees must undergo regular training, classroom exercises and simulated phishing tests to develop a security instinct to recognize and report suspicious items. Organizations need to repeatedly cite rules, guidelines, and policies that spell out the do’s and don’ts (don’t share passwords; report suspicious emails; browse the internet safely; think before you click; pause before you act) and best practices (use of password managers; keep software up to date; avoid suspicious looking emails; take care of devices when in transit; never leave your desk unattended).
Organizations will need to optimize their approach to cybersecurity, as a collaborative culture that works with human weaknesses is crucial in most aspects of modern business. Through regular training, policies, and best practices, employee errors can be prevented, making human weaknesses an organization’s asset rather than a hindrance to security.
How are you people-proofing your systems to prevent data breaches? Share with us on  FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!
Image Source: Shutterstock