Cybersecurity’s most trusted, annual state-of-the-industry benchmark has been released: the 2021 Verizon Data Breach Investigations Report (DBIR). In this post we’ve teased out some key 2021 DBIR insights that expose the human root causes of hacks and attacks during what was an extraordinary pandemic year.
Lucky for you: we read all 119 pages… so you don’t have to!
On the topic of human risk in the enterprise, here’s what we found out.
It is not a coincidence that the word “error” is mentioned 73 times in the 2021 DBIR. To err is human, and people make mistakes that often pave a path of least resistance for bad actors. In fact, 85% of breaches involved a human element. There is a lot to digest in our review of 2021 DBIR insights, including the astute observation that “credentials are the glazed donut of data types” (pg. 87). Now who doesn’t love donuts?
Elevate Security is honored to be a DBIR contributor for the second year in a row. We’ve unpacked this massive treasure trove of data to shed light on the current state of the human attack surface, obvious gaps in defensive strategies, and what it means for industries moving forward.
What is the Current State of the Human Attack Surface?
The 2021 DBIR team updated its incident and breach patterns, offering a new framework for explaining the threat landscape. Patterns like Denial of Service, Lost/Stolen Assets, and Privilege Misuse remain prominent, while new areas like Social Engineering and System Intrusion have been newly added.
We believe that the elephant in the room is human attack surface, i.e. end users with varying access and privileges who click on links, upload sensitive documents, visit inappropriate websites, etc. Even with this refined lens, employee mistakes continue to top the list for five out of the eight breach patterns – Social Engineering, Basic Web Application Attacks, System Intrusion, Miscellaneous Errors, and Lost/Stolen Assets.
Here are some at-a-glance 2021 DBIR insights to help you digest the breadth and scope of these five challenges:
- 85% of breaches involve the human element
- 61% of breaches involve stolen credentials
- 50% of breaches include mistakes by system admins, who enjoy greater access and privileges, potentially worsening their impact
- 15X increase in misrepresentation through social engineering, resulting in credential theft
- 10% of breaches involved ransomware, which is double its frequency from last year
Employees are the new security perimeter. In fact, a key 2021 DBIR insight acknowledges this fact quite blatantly when it recommends, “Why not cultivate your employees to be your early warning system when it can have a great return on investment?” (pg. 24). If we want next year’s report to indicate anything other than the trends it has followed for the past decade, then it is clear that we must chart a new path.
2021 DBIR Insight: There is a Gap in Cyber Defense Strategy
There is a huge security gap caused by employees actions, access, and frequency of attack. You can chalk this up to outdated perspectives such as “humans will always be our weakest link”. Regardless of how the 2021 DBIR slices the data (by region, industry and even classification), it is clear, and always has been, that current defensive approaches – training and phishing simulations – are failing to protect the human attack surface.
Digging deeper into this finding, the report explains that not all phishing sims are created equal. The click rate varies depending on the template, which may or may not be compelling for employees to click. “In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email.” Phishing simulations and training alone is not an effective strategy.
For more data and insights on this topic: check out Cyentia Institute’s first annual study on human cybersecurity risk in the workplace, produced in partnership with Elevate Security.
2021 DBIR Insight: What It Means Moving Forward
The data in this year’s DBIR makes it clear, it’s time to defend and reduce security gaps caused by human actions, their access levels, and attacks. This is defined as the human attack surface. Cybersecurity’s biggest unsolved problem – human error – requires an intelligent, customized, and automated response to employee risk that can scale across the enterprise. It’s time the industry completely reframes the approach to dealing with incidents, rather than relying on training and phishing simulations alone.
Focus on what employees do, not what they know, because that is what matters. Based on key 2021 DBIR insights, we recommend that mitigating human error become a front and center consideration when defining security controls for employees.
In fact, Human Attack Surface Management should be a key part of your overall cybersecurity strategy.
The Elevate Security Platform ingests the entirety of an organization’s data to gain benchmarked visibility into human error, enabling CISOs to proactively tailor security controls and create ‘safety nets’ for the riskiest employees.
Check out our demo to learn more.