RITC's Cybersecurity blogs

Verizon 2024 Data Breach Report shows the risk of the human element

Written by Mari | Oct 10, 2024 10:13:18 PM
Verizon Business released its 17th-annual Data Breach Investigations Report (DBIR),
highlighting the role that the human element plays in cyber threats. This report
examined 30,458 security incidents as well as 10,626 verified breaches in 2023,
representing a two-fold increase from 2022. Out of the breaches analyzed, more than
two-thirds (68%) included a non-malicious human element — in other words, these
incidents involved insider errors or people falling for social engineering schemes. 
Key findings include: 
  • 32% of breaches included a form of extortion, including ransomware.
  •  Between 24% and 25% of financially motivated security events involved
    pretexting over the past two years. 
  • Over the last decade, 31% of breaches involved the use of stolen credentials.

https://www.securitymagazine.com/articles/100629-verizon-2024-data-breach-report-shows-the-risk-of-the-human-element

RITC Cybersecurity Comments:
When we review stories like this, and they point to human failings involving social
engineering, ransomware, or stolen credentials, we know, based on our experience, that
this typically points to inadequate security training. This typically takes several forms:

• Lack of understanding of the importance of cybersecurity training: Unfortunately, we
   still encounter companies that don’t believe they have anything to steal and invest the
   minimum amount into cybersecurity practices for the enterprise.

• Inadequate security training: Some small to medium-sized companies do not have the
   budget or staff to maintain up-to-date security training that includes phishing, social
   engineering, and general awareness. They often rely on either outdated training
   solutions or those created in-house. In the current cybersecurity climate, that is no
   longer adequate to ensure users are properly equipped to deal with cybercriminals.

• Infrequent security training: This is still an issue we see repeatedly. Many companies
   will require cybersecurity training at onboarding or annually, but it is generally forgotten
   about throughout the year. RITC Cybersecurity recommends that cybersecurity training
   should be conducted quarterly, especially phishing training. We know that sounds
   burdensome, but there are strategies to make this less work than annual training.