Earlier this month, Verizon released the 2023 Data Breach Investigations Report (DBIR). The findings, while significant, were hardly shocking:
- “83% of breaches involved external actors—with the majority being financially motivated.”
- “74% of breaches involved the human element, which includes social engineering attacks, errors or misuse.”
- “49% of breaches by external actors involved use of stolen credentials”
Why are these brand-new insights unsurprising? Since the inception of the Verizon DBIR, the human element has been the biggest contributor to data breaches. And that hasn’t changed—the percentage of human risk has historically hovered around 80% since Verizon first started tracking this statistic. The reality is, we haven’t done enough as an industry to attempt to drive that number down.
“If the human element continues to be the highest contributor to data breaches, we need to take a fresh look and figure out how best to take a different approach than we have in the past,” said Robert Fly, Elevate Security’s CEO and Co-Founder. “If we don’t, every future Verizon DBIR will look the same.”
The Critical Role of Human Risk Data
“74% of breaches are due to human error. We’re missing the mark as an industry if we’re not truly understanding why and by whom those breaches are occurring. With hybrid workforces, we’ve hit a peak where people have become the primary attack vector,” continued Fly.
As the sole provider of pure human risk data to the Verizon DBIR for the past three years, Elevate Security’s data allows the industry to dig in and understand where 74% of the breaches are taking place. We provide billions of anonymized records indicating adversary attack patterns and cohorts of individuals most likely to cause account compromise, data loss and phishing risks.
New this year, 50% of all social engineering attacks are pretexting incidents. This is double from prior years and aligns with Elevate data that shows adversaries are highly targeting individuals and especially those with high levels of access. In fact, last year Elevate saw a 2.5x increase in attacks against engineers with Customer Support departments exhibiting the riskiest overall behavior. These attacks continue to become more sophisticated and targeted towards those with the most access.
Today’s Threat Actors, Their Targets, & Motivations
As presented in the 2023 Verizon DBIR, 83% of breaches involve external attackers. The question is who are they targeting, how, and why? The answer is simple: the most privileged users, with social engineering tactics and phishing, for financial gain. According to Verizon, “the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches.”
Today’s cyber attackers get to know a lot about our employees as they dig up information on individuals through a variety of means, including social media sites like LinkedIn. The public information they gather by simply looking at an individuals’ profile, gives them not only cues to their role and access, but also information useful in a social engineering attack.
“Threat actors are hyper-focusing on attacking the individuals who have a lot of access to a company’s private data and systems, which is leading to the increase in attacks against folks who are privileged,” said Fly.
What these attackers are looking for is personal information, credentials, internal and financial data with a plan to exploit human risk and profit off of this data.
“As we saw in the DBIR stats, successful attackers are moving away from “spray-and-pray” attacks, where they’re trying to hit up as many people as they possibly can. Now, they’re focusing on really hyper targeted attacks against key privileged users who have high levels of access,” said Fly. “And because of those privileges, they’re trying to gain access to those individuals’ accounts so that they can take advantage of the visibility, data, and applications that those folks have access to.”
A Data-Driven Approach to Mitigate Human Risk
Cyber attacks on individuals are becoming more sophisticated, urgent, and harder to avoid for even the best-trained and knowledgeable employees. More than ever, security teams can not fully rely on employees to always take appropriate action on threats that get past your security technology. Relying on old approaches of annual awareness videos to protect against human risk has never worked, but is even more futile in the current threat landscape.
“Training people to avoid phishing, as we have in the past, is not going to resolve these issues,” said Kirby Wadsworth, Elevate’s Chief Marketing Officer. “For the more complicated ones in the future, we’re going to need better protections. And we’re going to need a better understanding of where the real weaknesses and vulnerabilities are in our population.”
Elevate Security Provides Deep Insight into Human Risk
Elevate Security provides you with a clear understanding of which individuals in your organization are at risk. Our platform precisely identifies and highlights those who pose a higher risk within your organization based on their actions and the frequency of attacks they experience. By targeting and focusing on these individuals, you can implement appropriate protective measures to mitigate the risks effectively.
“We see up to a 70% reduction across our customers in account compromise, phishing, data loss risks,” explained Fly. “By predictively understanding who in an organization is at risk and applying proactive responses, organizations can see similar reductions in their risk profiles.”
Final Thoughts
Taking a data-driven approach to mitigate human risk is crucial in the ever-evolving landscape of cybersecurity. The insights from the 2023 Verizon DBIR emphasize the persistently high contribution of the human element to data breaches, underscoring the need for a fresh perspective.
Elevate Security’s provision of pure human risk data allows organizations to delve into the root causes of breaches, understanding where vulnerabilities lie and who is most at risk of triggering an incident. By leveraging this knowledge and targeting high-risk individuals, organizations can implement tailored protections to safeguard these users and keep threat actors out.
Request a demo of Elevate Security today to gain a deeper understanding of how our platform works to pinpoint high-risk users to better protect them and the organization.
