Security Awareness Blog

2017 Verizon DBIR - Human Perspective

Screen Shot 2017-05-15 at 7.11.23 AMThe 2017 Verizon DBIR (Data Breach Investigations Report) is out. For those of you who are unfamiliar with it, this is THE data driven report that helps you better understand threats and what are the leading causes of incidents / breaches. The report is important as it provides a trusted resource to help you make data driven decisions on what you should be teaching in your awareness program. The report can be used a variety of ways, from understanding overall threats to doing a deep dive on the greatest risks facing your own industry. My favorite resource in this year's report is Figure 9, which we have posted in this blog. This figure gives you an overview the most common risks facing the 8 most common industries. If you are in one of those 8 industries, my suggestion is to go straight to the report's detailed write-up on your industry and learn everything you can.

One of the key findings from the report (and one many people are missing) is on page 32 of the report. On page 32 Verizon dedicates an entire section to human risk - Attack the Humans. One of the key statistics they call out is of the 1,963 breaches documented in this report, 828 (or 43%) involved social engineering attacks. This means almost half of all breaches involved bad guys bypassing technology and targeting the human. But that is only half the story. What about insider misuse or accidental breaches, such as accidently emailing the wrong person with sensitive data? Both are human based, and both should also be addressed in any awareness program. If you count these action elements also, then the human was involved in an additional 457 breaches, for a total of 1,285 or 65% of breaches. In other words, humans were involved in over two-thirds of all breaches, and yet organizations still think security is a technology problem. This section alone is a great way to demonstrate to leadership how humans and not technology are the greatest risk to any organization.

On a side note, remember we also want to go beyond just the Human Firewall and create the Human Sensor. On page 8 of the Verizon DBIR they state - "Employee notifications were the most common internal discovery method for the second straight year and there was also an uptick in detection through internal financial audits, associated with business email compromise (BEC)." In other words, after investing all that money in SIEM, DLP and IDS technology, employees are still an organization's most effective method in detecting internal incidents.

To learn more about securing the human, join us for the 3rd annual Security Awareness Summit 2/3 August in Nashville, as over 200 awareness professionals and industry experts share lessons learned.

3 Comments

Posted May 16, 2017 at 2:39 PM | Permalink | Reply

Kevin Schultz

Minor typo, 2nd paragraph: "One page 32''" should read "On page 32''" Thank you.

Posted May 16, 2017 at 2:42 PM | Permalink | Reply

lspitzner

Great catch, thanks! Fixed now

Posted May 16, 2017 at 4:01 PM | Permalink | Reply

Geoffrey Parker

Lance, Thanks for a great catch, and I agree with your data. Like in-person live training, which in my opinion trumps every other form of training for effectiveness and impact and behavior modification, I think the human sensor network trumps all other forms of sensing. We can't detect everything, like FireEye, or log everything like Splunk, but we can use our senses and our judgment which no other system has. I think we need to focus more on our human systems.