An annual report investigating trends in data breaches analyzes data from nearly 80,000 security incidents and more than 2,000 data compromises from 61 countries. While the report acknowledges that malicious hackers are finding ever more sophisticated ways to gain access to an organization’s critical data, the majority of attacks still rely on phishing and hacking. The report also indicates that organizations can decrease their risks by prioritizing their approach to information security.

Below are some key takeaways from the report:

  • Employee awareness is critical. Whether it is becoming a victim of a phishing scam, theft, or abusing work-related privileges, employees account for a large number of data breaches. The report found the following:
    • Phishing attacks still account for more than 20% of security incidents. In fact, according to the report, “a campaign of 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey.” Conducting employee awareness campaigns and trainings regarding phishing can be one of the most effective ways to reduce the threat of data breaches resulting from phishing campaigns. One organization that contributed to the report indicated that their employees are an active defense against phishing, detecting approximately 10% of threats. The report also indicates that the employees most likely to become victims of phishing are those whose jobs entail managing a high volume of email, such as employees who work in communication, legal, and customer service. Employee awareness campaigns should take this information into account.
    • More than half of thefts of physical devices occurred within an employee’s work area. More than 20% of the thefts involved devices taken from an employee’s vehicle. A non-trivial number of thefts take days to discover. Organizations should make it easy for employees to report the loss or theft of any physical device to mitigate the potential damage.
    • More than half of insider incidents involved abuse of privileges. Organizations should think about which employees really need access to sensitive data and critical systems before granting access.
  • Keep software updated. According to the report, when it comes to known software vulnerabilities, 97% of exploitations came from only ten known vulnerabilities. In fact, more than 99.9% of successful exploitations used vulnerabilities for which software update patch fixes were available for more than a year. Making sure that software patches are deployed regularly can result in a substantial decrease in risk from known vulnerabilities.
  • A breach may have more than one target. The report found that nearly 70% of threatened or actual data breaches where the motive was known occurred as a way to gain access to a secondary target. For example, sometimes a data breach begins with an email phishing attack on a vendor that does work for the target company. Organizations should require vendors to use and maintain good information security practices.

While no information security strategy guarantees protection against all data breaches, the report shows that a large portion of data breach risks can be mitigated by implementing some very straightforward strategies.