Every year, business leaders across all verticals anticipate results and analysis from Verizon’s Data Breach Investigation Report (DBIR). Due to its depth and quality, many find the information to be authoritative enough to consider when planning IT and data security strategies. The most recent version (from 2019) was compiled from real-world stats spanning more than 41,000 cybersecurity incidents and 2,000+ data breaches from 73 public and private global entities. Not surprisingly, it contains potentially actionable insights for anyone tasked with reducing cybersecurity risk. But it also includes some encouraging improvements, which suggest that certain security measures are actually working.
1) In retail, the number of physical terminal compromises has dropped, partly due to industry-wide security gains resulting from pin-and-chip technology.
2) Year-over-year attacks on HR departments dropped notably in 2019, with data showing six times fewer HR personnel being impacted by cybercrooks.
3) A drop in phishing-simulation click-through rates CTRs. Simulations assess your company’s vulnerability by giving you an indication of how many people may be susceptible to an email-borne social-engineering attack. According to Verizon, CTRs in reported testing fell from 24% seven years ago to just 3% last year. Of course, more sobering stats were also revealed, for example: 43% of all breaches involved small businesses, with 84% of all breaches being perpetrated by outsiders.
Ransomware is still a serious threat to all industries, accounting for 24% of reported incidents involving malware. DBIR data also showed that in 2019, C-Level executives were 12X more likely to be the target of social-related incidents, as evidenced by the exponential increase of execs reportedly compromised by financial engineering schemes. With regard to mobile users, research showed that certain device interfaces may increase susceptibility to malicious phishing attacks.
Familiar best practices strongly encouraged by security experts like Verizon, TeamLogic IT and others, include, keeping operating systems updated and properly patched; redoubling two-factor authentication, where deemed appropriate by your security pro, and implementing strong authentication on customer-facing applications, cloud systems and remote-user access. Social awareness training, including separate or private sessions for C-Level leaders, may also be indicated to reduce your company’s risk.
Contact us today for information or help with any aspect of your cybersecurity program, including training.