It’s here! The 2019 Verizon Data Breach Investigations Report, released yesterday analyzed 41,686 cybersecurity incidents, with data provided by 73 sources from 86 countries.
The report confirms much of what we read in the FBI’s 2018 Internet Crime Report–phishing remains a top threat action and business email compromise (BEC) is on the rise. The Verizon DBIR also shows that cybercriminals are ever more targeting the C-suite.
The C-suite is starved for time, resulting in a tendency to quickly respond and interact with emails so they can move on to the next. Such behavior makes them prime targets for social engineering attacks. Take for example the phishing campaign we identified earlier this year, which targeted Board members in a credential theft attack.
Today, C-level executives are increasingly and proactively targeted by cybercriminals. The Verizon DBIR shows that compared to last year, executives have been targeted 12x more.
According to the report, the increasing success of social attacks like BEC or CEO fraud (which represent 370 incidents or 248 confirmed breaches of those analyzed) can be linked to the unhealthy mix of a stressful business environment and a lack of focused education on the risks of phishing and cybercrime.
This combination of a distracted, ill-informed C-level executive and a well-crafted phishing email message can equal calamity, providing cybercriminals with just the right sensitive information and log-in credentials. Once cybercriminals gain access to executive email accounts, they can use the credibility of that account to initiate financial transactions, gain access to confidential information, initiate BEC campaigns, or harvest additional credentials to continue moving laterally though the organization.
According to the Verizon DBIR, 32% of the analyzed breaches involved phishing.
A well-crafted phishing email is designed to break down psychological barriers. The cybercriminal takes advantage human nature, our engrained desire to do the right thing (especially while at our place of employment). The authority that C-level executives hold usually goes unchallenged within an organization. So, a well-timed phishing email from the CEO or CFO’s spoofed email address can get employees to share sensitive financial information or wire money—without question.
The Verizon DBIR does give us some good news, simulated phishing click-through rates dropped by 1% over last year (after an estimated $490 million was spent on cybersecurity awareness training tools in 2018).
Sometimes it seems like the bad actors always win over the good guys, but it doesn’t have to be this way. Thankfully, there are ways to stop sophisticated phishing attacks, malicious email attachments, and suspicious links in their tracks. So, take a breath and reflect on these wise words highlighted in the 2019 Verizon DBIR, “we all have wounds, none of us knows everything, let’s learn from each other. Excelsior!”
When securing email, it’s important to start with the basics and implement email authentication standards like Sender Policy Framework (SPF), DomainKey Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). But sticking to email authentication protocols alone are not enough. Organizations need to adopt a holistic approach to securing email. A solution that identifies, addresses, and reinforces business processes vulnerable to phishing, delivers real-world user training daily, and offers dynamic detection capabilities.
The conventional, reactive detection methods that are used by most legacy email security tools are failing to detect even basic email-borne attacks. And many organizations, if they fail to adapt to adequately protect against advanced email threats, are putting their most senior executives and their profits at risk.