.png?width=214&height=70&name=24_RITC_2_No_Slogan_Transparent%20(002).png)
In the evolving digital landscape, the size of a business is no longer a metric to judge the...
Verizon 2024 Data Breach Report shows the risk of the human element
Verizon Business released its 17th-annual Data Breach Investigations Report (DBIR),
highlighting the role that the human element plays in cyber threats. This report
examined 30,458 security incidents as well as 10,626 verified breaches in 2023,
representing a two-fold increase from 2022. Out of the breaches analyzed, more than
two-thirds (68%) included a non-malicious human element — in other words, these
incidents involved insider errors or people falling for social engineering schemes.
Key findings include:
highlighting the role that the human element plays in cyber threats. This report
examined 30,458 security incidents as well as 10,626 verified breaches in 2023,
representing a two-fold increase from 2022. Out of the breaches analyzed, more than
two-thirds (68%) included a non-malicious human element — in other words, these
incidents involved insider errors or people falling for social engineering schemes.
Key findings include:
- 32% of breaches included a form of extortion, including ransomware.
- Between 24% and 25% of financially motivated security events involved
pretexting over the past two years. - Over the last decade, 31% of breaches involved the use of stolen credentials.
RITC Cybersecurity Comments:
When we review stories like this, and they point to human failings involving social
engineering, ransomware, or stolen credentials, we know, based on our experience, that
this typically points to inadequate security training. This typically takes several forms:
• Lack of understanding of the importance of cybersecurity training: Unfortunately, we
still encounter companies that don’t believe they have anything to steal and invest the
minimum amount into cybersecurity practices for the enterprise.
• Inadequate security training: Some small to medium-sized companies do not have the
budget or staff to maintain up-to-date security training that includes phishing, social
engineering, and general awareness. They often rely on either outdated training
solutions or those created in-house. In the current cybersecurity climate, that is no
longer adequate to ensure users are properly equipped to deal with cybercriminals.
• Infrequent security training: This is still an issue we see repeatedly. Many companies
will require cybersecurity training at onboarding or annually, but it is generally forgotten
about throughout the year. RITC Cybersecurity recommends that cybersecurity training
should be conducted quarterly, especially phishing training. We know that sounds
burdensome, but there are strategies to make this less work than annual training.
