The next data breach to expose your info probably won’t involve an elite hacker sharpening some code to drill into a company’s system. Instead, the attacker may just ask the right people nicely in an ordinary-looking email.
Social engineering, the hacking art of persuading victims to do your work for you, is not a new thing. But as Verizon’s 2023 Data Breach Investigations Report attests, the tactic still works.
This annual project of Verizon’s Threat Research Advisory Center—based on an analysis of 16,312 security incidents categorized by VTRAC and partner organizations between Nov. 1, 2021, and Oct. 31, 2022, of which 5,199 rated as data breaches—found that a full 74% of those breaches involved human action.
That category can include such human failings as user errors (with the top mistake there “sending something to the wrong recipient”) and employees abusing privileges (usually maliciously). But the report leads off by noting that persuasively crafted emails to the right executives can be especially effective in getting recipients to hand over login credentials or even directly send money.
The term of art for that kind of pretexting attack is business email compromise—often abbreviated as “BEC,” although we would prefer to see that shorthand reserved for “bacon egg and cheese.” Verizon’s researchers found that it represented more than half of the social-engineering incidents.
The good news in this 89-page, often cheekily written report—also available as an 18-page executive summary and in infographic form—is that another common corporate plague, ransomware, may have peaked. The new report has ransomware figuring in 24% of breaches, just about the same in the previous release.
And while Chinese, Russian and other foreign-government attackers get a lot of attention for their possible use of hacking as a tool of national policy, Verizon’s report suggests that most companies should not feel geopolitical angst. Instead, most of their adversaries are only in it for the money: “Financial motives still drive the vast majority of breaches,” the report says, estimating that they led to 94.6% of breaches.
The report, the latest in a series that Verizon has been publishing for more than a decade, doesn’t break new ground in its brief list of recommendations. Those cover such basics as conducting regular security training (hopefully not the punitive kind that people hate), setting up multi-factor authentication (the report misses an opportunity to endorse such phishing-proof forms as USB security keys and biometrically secured passkeys), and having a defined incident-response process.
At a panel Tuesday morning hosted at one of Verizon’s Washington offices, Chris Novak, managing director of cybersecurity consulting at the company and also a member of the Cybersecurity and Infrastructure Security Agency’s advisory board, expanded on that advice.
Asked about one defense against data breaches that escaped mention in the report—retaining less data to reduce the consequences of one, a basic step that some proposed privacy legislation would mandate—Novak pointed to the payment-card industry as a good adopter of data-minimization practices.
“We've seen that industry make great strides,” he said. “I think that notion is starting to spread to other industries.”
Novak added that while companies should ask themselves what data they need and how long they need to keep it, they shouldn’t forget to map that information’s path: “There's also an element of being aware where that data goes.”
He also emphasized how often attacks targeting human vulnerabilities—what he called “belly button breaches”—can’t be fixed with technology as long as somebody can be convinced to dial down one of those defenses.
That somebody might be a senior executive who doesn’t want to be bothered with more stringent security, he said: “We don't want to inconvenience them, so we allow them to have an easy password.”
As Novak observed: “Trying to change human behavior is hard.”