The common thread in most successful attacks? Users

One of the largest annual studies of breaches and cybercrime has found attacks are getting more and more complicated, but most still succeed or fail from the biggest weak point in security: the end user.

Confused on Computer

This is nothing new. Users have and always will be the single most vulnerable point of any system. It’s so widely recognized it has its own acronym: PEBCAK, or Problem Exists Between Chair and Keyboard.

So while the 2015 Verizon Data Breach Investigation Report found that hackers are getting more sophisticated in their attacks, the root cause remains mostly the same: user error or malicious insiders.

According to the investigations:

  • 23% of recipients will open phishing messages, and
  • 11% actually open attachments from these messages.

Most users who will fall for a phishing campaign do so quickly: 50% who open will do so in the first hour after it was sent. For some, that takes as little as 22 seconds.

And hackers don’t send one phishing email and pray for a bite. They’ll go after users repeatedly, and with good reason: If 10 phishing emails are sent there’s a 90% chance that at least one will be opened by a recipient.

This can lead to untold damage, as once hackers are able to penetrate a system, hackers will hang out as long as it takes to find good information. Often, that’s a very long time.

The report found that while the average time to breach is measured in minutes, the time it takes a company to discover it has been breached is much longer – for point-of-sale systems, for instance, discovery time was measured in:

  • hours (27.3% of the time)
  • days (36.4%)
  • weeks (18.2%), and
  • months (9.1%).

That’s more than enough time for attackers to get all the information they need or to set up a foothold to continue monitoring systems.

Mobile is low-priority

Some good news on the breaches front, however, is that mobile threats remain largely unpopular with attackers. While you’ll continue to want to secure BYOD programs, obviously, mobile malware barely ranks as a threat. Only .03% of mobile devices were infected with “truly malicious exploits,” according to Verizon.

This supports Android’s recent claim that it was mostly malware free.

Once again, the real threat with mobility was users being careless.

Theft of devices continues to be a serious problem, and mobile devices are a pretty darn attractive target considering how easy they are to walk off with.

The majority of thefts happen close to the office – 55% of devices go missing in the user’s work area. Another 22% are taken from an employee’s personal vehicle.

The real problem again is how long it takes for IT to learn about this breach. About 15% of incidents weren’t reported for days, which is probably attributable to workers trying to find their devices on their own or being afraid of reporting a theft.

Make sure workers know they need to report lost devices ASAP. If you are able to assist them with a “find my phone” option, that should cut down on the number of lost devices that go unreported – or alert you to the theft quicker than searching on your own.

And while most cases turn out to be simple human error, it is always possible you may discover the malicious insider.

That’s a good reason to think about putting restrictions on how much data users have access to. In fact, 55% of insider incidents were the result of a user abusing the data they had been entrusted with.

IT’s not off the hook

While we’re focusing mostly on the role users play in data breaches, we’d be remiss to excuse IT entirely. The report did find many companies aren’t taking the most basic step to securing systems: patching them regularly.

The report found that some of the exploited flaws that led to hacking attacks date back to 2007. There’s no excuse for waiting that long to patch a vulnerable system.

Make sure you get on top of this crucial step or it could be you, not your users, who’s getting called out for basic security missteps.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy