Article by Christopher Lauder, Delegate Relationship Executive, Rela8 Group
Human Error: The Main Cause of Breaches – Verizon Report
Recently, Verizon have released their 2022 Data Breach Investigations Report (DBIR). This is the fifteenth issue of their annual report, which aims to provide an analysis of security breaches and attack vectors from the past year. To achieve this aim, the report analysed more than 5212 breaches and 23,896 security incidents.
The main findings from the report were that cyber attackers have four key paths to enterprise estates including credentials, phishing, exploiting vulnerabilities and malicious botnets. Hackers will generally use these four ports to exploit human error, which was the reason for 82% of attacks this year.
The report explains that 97% of firms have reported being negatively impacted by a supply chain security breach in the past. The report found that hackers tend to exploit human error to get initial access, particularly using phishing scams.
Commenting on the report, Gabriel Bassett, Senior Information Security Data Scientist on Verizon’s Security Research Team, describes it:
“Breaches beget breaches. Breaches at a partner can lead to your own breach, as with supply chain breaches. Access paths can be acquired by threat actors and sold on criminal marketplaces.”
Mike Newman, CEO of My1Login, comments:
“The Verizon DBIR provides further evidence around the danger’s credentials present to organisations. Not only are they the root cause of most data breaches, but they are also a top target for cybercriminals to steal when carrying out attacks. The reasons for this are simple: when attackers have credentials, they have access, and with that access, they can monetise”.
Verizon lists the following as the key findings from their report:
- Year over year ransomware attacks increased by 13 percent, a jump greater than the past five years combined.
- Roughly 4 in 5 breaches can be attributed to organized crime, with external actors approximately 4 times more likely to cause breaches in an organization than internal actors.
- Human element involved in 82 percent of all breaches analysed over the past year.
You can read the full report for more information which is linked below.
UK Government Looking for Views
Moving over to the United Kingdom, the Government has issued a press release from the Department for Digital, Culture, Media and Sport (DCMS). This press release comes as the Government looks to strengthen security and resilience of UK’s data infrastructure to protect against outages and national security threats.
The UK government is launching a call for views and inviting contributions from data centre operators, cloud platform providers, data centre customers, security and equipment suppliers and cyber security experts to understand the risks data storage and processing services face. It wants to know what steps they are already taking to address any security and resilience vulnerabilities.
The call for views will also ask companies which run, purchase, or rent any element of a data centre to provide details of the types of customers they serve.
Based on the evidence, the DCMS will decide whether any additional government support or management is needed to minimise the risks that data storage and processing infrastructure face. The work is part of the government’s National Data Strategy to ensure the security and resilience of the infrastructure on which data relies.
A link to the Call For Views, as well as a link to the National Data Strategy can be found below.
Source - UK Government Call For Views - Gov
Source - National Data Strategy - Gov
Millions of users of Meta products, including Facebook and Instagram, are to receive notifications of the firm's updated privacy policies. Meta says the changes are designed to make it easier to understand how customers' information is used. This comes after the Meta has previously been criticised by regulators and campaigners over its use of customers' data. WhatsApp and some other Meta products are not covered by the update.
Meta says the changes won't allow it to "collect, use or share your data in new ways".
There are, however, two changes to the way that users can control how their information is processed. Firstly, a new setting will give people more control over who can see their posts by default. Secondly, existing controls over which adverts users can see are consolidated into a single interface.
Michel Protti, Meta's Chief Privacy Officer, said in a blog post that Meta wanted "to better explain what is expected from us and those who use our platforms". He said that would include when the company may disable or terminate accounts, and extra details about what happens when an account is deleted.
Meta says it is also providing more details about the types of third parties with whom it shares and receives information, and how data is shared between its products. Users do not need to do anything in response to the policy updates to keep using Meta products, but the company says people who do not want to accept the changes "are free to leave our services".