Every year, we gleefully look forward to the latest Verizon DBIR as they always contain statistics that are pertinent to security awareness programs. These stats can be used to reinforce the need to gather everyone in a room for regular cyber security briefings or to continue an on-going phishing exercise.

Why and What

The majority of breaches (where data was disclosed to unauthorized individuals) are financially motivated (76%). The top three data types in breaches were personal, payment, and medical. This includes identifying information that can be used for identity theft, credit card numbers for fraudulent purchases, and health insurance coverage and medical records to perpetrate medical claims fraud.

If you’re not already identifying critical types of information in your organization, you should. Prioritize the kinds of information that are valuable targets. Explain the threat surrounding valuable information to those who deal with it and train them in proper information handling to avoid accidental disclosure.

Social Engineering

The DBIR stated that with social engineering attacks, the finance and HR departments were most often targeted with a pretext—an impersonation of someone they know in order to obtain funds in the former and personal information in the later. You may want to consider these scenarios for training your finance and HR departments: phony wire transfers and invoice payments, W-2 requests from a high-ranking, internal figure.

Interestingly, when phishing did not involve a pretext or impersonation, 66% of the time, malware installation was the goal. Hackers seem to place as many messages out there as possible to see what sticks (or gets clicked, in this case). Malware may lead to credential harvesting and account compromise or computer compromise and a potential foothold on the network.

Ninety six percent of social engineering occurred through email, so it would be wise to perform phishing security awareness exercises and identify the people who are prone to click. Configure multi-factor authentication where possible. Employ suspicious login recognition. (We’ve written about all of this before.)

An Added Benefit of a Security-Minded Workforce

Detection time in data breaches (68%) take months or longer to discover. In the public sector in particular, the DBIR states that “almost half of breaches were discovered months or years after the initial compromise.” An educated workforce that reports phishing attempts, disclosures, or other suspicious activity can aid in detecting a security incident and respond sooner.