Human error is a main cause for cyber security breaches, Verizon report finds

The 2022 Verizon Data Breach Investigations Report has been released and the study provides an analysis of security breaches and attack vectors from the last year.

The data breach report analysed more than 5212 breaches and 23,896 security incidents. The main findings from the annual report were that cyber attackers have four key paths to enterprise estates including credentials, phishing, exploiting vulnerabilities and malicious botnets.

Hackers will generally use these ports to exploit human error, which was the reason for 82% of attacks this year. The report explains that 97% of firms have reported being negatively impacted by a supply chain security breach in the past.

The report found that hackers tend to exploit human error to get initial access, particularly through the use of phishing scams.

Gabriel Bassett, Senior Information Security Data Scientist on Verizon’s Security Research Team, describes it: “Breaches beget breaches. Breaches at a partner can lead to your own breach, as with supply chain breaches. Access paths can be acquired by threat actors and sold on criminal marketplaces.”

Bassett also expressed that utilising tools against the four access paths, such as deploying two-factor authentication and providing tools with password managers, can stop hackers from breaching. Bassett concluded that the most important defense against hackers is efficiency.

Industry reactions

Mark Lamb, CEO of HighGround.io, comments: “The stats from Verizon’s latest DBIR are not massively surprising. I think most people would agree we are seeing a huge rise in ransomware, and that phishing, stolen credentials, misconfigurations and insiders remain the primary cause of breaches.

“I think the most important lesson for businesses to take away from the study is that prioritising defences against these attacks is essential because clearly none of them are going away anytime soon. In fact, they are all likely to get worse.

“Of course, practising good cyber hygiene and employing robust security tools are essential defences, but one of the biggest challenges that often leaves businesses weakest is they don’t fully understand their actual cybersecurity posture. They deploy security tools and carry out training, but they don’t have an easy and accessible way to understand how they are helping reduce their risk, or if weaknesses still exist within their infrastructure that could be exploited maliciously.

“As a result, this is a key issue businesses need to address today. To fully defend against attacks and be confident in their security programs, they need to have a clear understanding of how their security and teams are responding to threats, or if there are unforeseen weaknesses that could actually be putting them at harm.”

Mike Newman, CEO of My1Login, comments: “The Verizon DBIR provides further evidence around the dangers credentials present to organisations. Not only are they the root cause of most data breaches, but they are also a top target for cybercriminals to steal when carrying out attacks. The reasons for this are simple: when attackers have credentials, they have access, and with that access, they can monetise.

“When it comes to combating the threat, enforcing better password practices and running training on phishing and cybercrime are all valid methods, but they very rarely remove the problem entirely. Some employees will still use weak passwords, while others will continue to recycle the same password they have been using for years. The bad news is it only takes one set of valid credentials to breach an organisation.

“Eliminating potential attack vectors through passwordless security and removing passwords from the hands of users where they are still required is a great way to combat this risk. This means credentials can’t be stolen, leaked or socially engineered out of victims, which offers immense security benefits to all businesses, while reducing their vulnerability to data breaches and ransomware.”