For all the millions of dollars an organization might spend on security technology, its employees' decisions and actions do the most to keep the company safe, according to the annual Verizon Data Breach Investigations Report.
The report examined about 80,000 incidents from 2020—described as events that compromise the integrity, confidentiality or availability of an information asset—and more than 5,000 confirmed data breaches.
Phishing attacks to trick employees into revealing login and personal information came up as the top avenue of incursion (more than 30 percent of all incidents). Overall, 85 percent of breaches included a human element and 61 percent related to stolen or misused credentials.
Ransomware was found in 13 percent of human-related breaches, and that's where the pain really comes in. In addition to locking organizational systems, about 10 percent of the ransomware attacks cost organizations an average of $1 million, which included the cash paid out in the ransom, the price tag for remediation and lost revenue.
The statistics indicated that ransomware attacks doubled in frequency over the past year. These attacks are expected to jump again in 2021. Some are straightforward, demanding organizations hand over the cash to regain access to their data. But there are other tactics. Some bad actors gain access, exfiltrate data and threaten to reveal it publicly if the victim does not pay. Others contact competitors or mega-investors to see how much they might be willing to pay for a peek at the files.
Gangsters, Not Geeks
The movies would have us believe that hackers are typically unemployed geeks operating from their parents' homes. To relieve the boredom, they decide to break into the NSA and vandalize the site. If ever that was the case, those days are behind us.
Organized crime is behind 4 out of 5 breaches, and their goal is financial gain, not notoriety. HR heads should be aware that these cybercriminals are actively targeting any organization that might reap big rewards, whether those be monetary, intellectual property, sensitive information or the avoidance of brand damage. Yes, cybercriminals will lock random companies out of their network and demand payment. But they have raised the stakes and now want millions in ransom, rather than thousands.
"The conversation about data leakage has flipped from 'if' to 'when' a company will be breached by malicious actors," said Masha Arbisman, behavioral engineering manager at Verizon Media. "The fight against cyber breaches continues to depend on an organization's ability to train and adapt its members' behaviors to protect against actions such as credential theft, social engineering and user error."
Another common misconception is that internal actors are a major menace. They are a problem, but damage from a company's own employees is dwarfed by external threats from the criminal fringe. Currently, less than 20 percent of breaches are inside jobs, and only a tiny fraction of 1 percent are from an organization's partners.
"Most internal actors are motivated by greed—they're trying to cash in on the data they steal," said Herbert Stapleton, deputy assistant director in the FBI's Cyber Division. "A much smaller percentage are in it for the laughs. Fewer still are holding a grudge against their employer. And finally, we get to those who are doing this to start a competing business or benefit their next employer."
HR should work closely with IT security and risk management teams to ensure resources are allocated accordingly. The bulk of attention should be levied at external threats. More attention should be paid to proofing up the workforce against social engineering tricks (phishing and other ploys) than to rooting out internal menaces or partner-based incursions.
The FBI recommends that any organization under attack should go to the Internet Crime Complaint Center and file a report.
"Over the past decade, the cyber threat has grown exponentially with nation-state and cyber criminals increasing the scale, scope and level of sophistication of their cyberattacks," Stapleton said. "Addressing this kind of complex and agile environment requires a more comprehensive response than any one single government agency, business, technology or data source can provide."
HR should reach out to IT to make sure the department is well-staffed and keeping up with routine tasks such as deploying patches to prevent security incursions.
Hackers are now using automation to quickly zero in on known security holes, according to the Verizon report.
"As such, it's important to limit your public-facing attack surface through asset management, defensive boundaries and intelligent patching," Arbisman said. "One might think that more recent vulnerabilities would be more common. However, as we saw last year, it is actually the older vulnerabilities that are leading the way. These older vulnerabilities are what the attackers continue to exploit."
Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.