Protecting Humans From Data Security Attacks
Metrics and narratives are all the rage in compliance. Metrics allow companies to benchmark and measure compliance program effectiveness, business risk, and, increasingly, employee behavior. And adult learning research shows that narratives are an effective way to teach adults new concepts. Fortunately, Verizon has released its popular Data Breach Investigations Report (“Report”), which delivers data security metrics, and Data Breach Digest, which delivers data security narratives. Both types of content are critical for understanding the value of providing cybersecurity awareness training to protect humans from data security attacks.
“Attack the Humans!”
The Report provides great insight into a variety of data security topics and trends, from ransomware to industries at risk of data incidents and breaches. For example, the percentage of social-type data security attacks among breaches has steadily risen since 2010 and was found in 43% of all studied data breaches in 2016.
Social engineering attacks use “human interaction (social skills) to obtain or compromise information about an organization or its computer systems.” Two types of social engineering data security attacks really stand out. Phishing, where crafted, fake emails bait recipients to click on links or attachments, occurred in 90% of all social engineering attacks. The second most insidious was pretexting, where threat actors leverage underlying human emotions, such as empathy, curiosity, trust and fear to get access. This tactic often employs phishing scams.
Data Security Story
The Data Breach Digest provides narratives of real data breaches, and what companies did in response. One includes a story of a social engineering attack where a hacker got access to an accountant’s email credentials through a successful phishing email claiming that an invoice was paid late. Once the hacker got access, it monitored the accountant’s email account and studied the company’s wire transfer approval process by searching through emails. This allowed the threat actor to fabricate an email address almost identical to the Chief Information Officer’s (CIO) and initiate a fake invoice paid by the company. “To this day, we are still working with law enforcement to figure out what happened to our money,” according to the the CIO.
While the company’s strong network security systems could have stopped the fake email from doing damage, that day, the accountant worked from home and used his personal Wi-Fi network, that did not have the same security restrictions. This is also an example of the data security risks lurking in shadow IT. Humans, like employees, are the center of these data securities attacks and, through any number of reasons, grant outsiders access to their company’s sensitive data.
Knowing How (or What) to Report
In addition to social engineering and shadow IT, reporting is another data security metric that companies must track. The statistic for 2016 is startling. Among the companies that recorded instances of reporting, only 20% of employees reported “phishy” emails. Either they didn’t know what to look for, knew but didn’t have a process to report, knew but didn’t care, or the company just didn’t report that data to Verizon. Either way, that number is low and reflects the fact that “someone will always click.” Detection, prevention, and reporting are all things employees should know how to do to stop becoming prey to data security attacks.
This may be why Verizon recommends data security awareness training as an “essential” area of focus to protect from things like cyber-espionage. Considering that 81% of hacking-related breaches leveraged either stolen and/or weak passwords, data security training should include that, too, and be provided on an ongoing basis.
LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.