- 2021 Verizon DBIR found that 85% of breaches involve “the human element.”
- A deeper approach to incident prevention
- Planning to protect your people
Read more below.
Incidents, Breaches, and the Human Factor
Lessons from the Verizon DBIR
In The Privacy Incident Benchmark Report 2021, the anonymized Radar user metadata found that 94% of privacy incidents are caused by unintentional human error. The report also found that, when properly risk assessed, less than 7% of incidents turn out to be notifiable breaches. Which raises the question, how many actual breaches are caused by human error as opposed to, say, direct cyberattacks?
Well, the 2021 Verizon Data Breach Investigations Report (DBIR) provides an answer: a lot.
This year’s DBIR found that 85% of breaches involve “the human element.” And this high commonality between incident and data breach causes has a number of implications for privacy teams.
If we were to think of these three statistics as a Venn diagram, the small number of incidents that turn out to be breaches falls almost entirely within the set of incidents caused by human error. Meaning that every successful effort to reduce those errors will pay off by reducing both incidents and breaches, and privacy teams are in a unique position to help with the human side of privacy and security.
Prevention and a Deeper Approach to Training
While the data security team is responsible for detecting system intrusions that lead to breaches, the DBIR found that only 4% of breaches these days are caused by brute force cyber-attacks. Why bother when it’s relatively easy for criminals to trick people out of credentials?
The report found that phishing was present in 36% of breaches, up 25% from the previous year, and 61% of breaches now involve credential data. Cyber-criminals also take advantage of the fact that too many people reuse passwords across work and personal accounts. According to the report, 95% of companies suffered credential-stuffing attacks. In fact, one organization experienced 3.3 billion attacks in a single year.
Data security programs often deploy anti-phishing programs, but that’s not enough. In their launch presentation, the DBIR authors cited findings that users who consistently avoid simulated phishing emails sent out by their data security teams will nevertheless fall for real phishing messages, sometimes by as much as 50%.
Privacy teams are better positioned to identify needs and deliver training in personal, as well as corporate privacy. These days, bad actors can leverage legitimate channels such as programmatic advertising to target their victims, and credentials can be stolen from employees’ devices and through online activities in their personal lives.
Employees need to be trained to be wary in their personal lives, whether on social media, using public wi-fi networks, or setting up online accounts. They need to be educated about the latest scams and social engineering tactics. Proficiency in personal privacy tools such as privacy-first browsers, tracking blockers, VPNs, and password managers can protect the company as well as the individual.
Metrics for a Data-Driven Defense
Privacy teams can also help prevent breaches by identifying the gaps in the human firewall. An automated incident response system can provide a real-time overview of incident causes and details, making it possible to drill down and identify problem areas.
With an automated incident response workflow that gathers data from all relevant departments, privacy teams can help their organizations spot and address trends, and shift focus and resources accordingly.
Is malware coming into your systems via employee devices? Is credential stuffing working because of reused passwords? Are people not installing security updates when they should? By tracking trends in the wider world of incidents, the privacy team can identify where a shift in focus, process, or resources can lower the odds of data breaches.
“Prepare the People”
With AI and monitoring, computers have become very good at detecting attacks on computers, which is one reason that data thieves are increasingly focusing on the human side of the equation. As attack strategies shift towards people, the privacy team’s expertise will be increasingly important, not just to incident response and compliance, but to preventing data breaches.
Organizations need to shift their thinking, too. As one of the DBIR authors remarked, “You need to make people part of what you’re protecting in your organization, not just computers.”
Data security spending is important, but privacy teams also need the tools and resources to identify and tackle breach prevention. And there’s strong justification for funding: the report found that 6 months after a breach, the median loss to a company was 5% of the stock value. Of the companies that did suffer losses after a breach, 76% were still losing after two years.
While there will always be security gaps in software, another new computer virus, or another flavor of ransomware, the fact is that digital cybersecurity threats are predictable. Whereas the potential for human error, however innocent, is practically infinite. It takes people intimately familiar with the data, the processes, and the risks—in other words, the privacy team–to anticipate and prevent those problems.
As one of the DBIR authors admonished, “Engineer for the expected—you know what threats will always be there. But tune operations for the exceptional: prepare the people.”