90% of security incidents are still caused by PEBKAC and ID10T errors, according to Verizon's 2015 Data Breach Investigations Report. Phishing attacks are a prime example of how the problem exists between keyboard and user as the DBIR said it takes a mere one minute and 22 seconds after a phishing email is sent before the first victim clicks on the tainted link. “Apparently, hackers really do still party like it’s 1999,” Verizon said in its 2015 Data Breach Investigations Report (DBIR) regarding how often really old vulnerabilities are exploited and result in data breaches. But the real problem is you. It’s me. It’s each and every one of us as the breakdown of security incidents in 2014 revealed that the “common denominator—accounting for nearly 90% of all incidents—is people.” Oldies are still goodies as the Verizon team added: Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns. At this point, take your index finger, place it on your chest, and repeat “I am the problem,” as long as it takes to believe it. Good—the first step to recovery is admitting the problem. When it comes to phishing attacks, the Verizon team found that 23% of users open phishing emails and 11% take the extra PEBKAC step of actually clicking on the attachment. Even a small phishing campaign of 10 emails has a 90% chance of hooking at least one victim. IT folks have a tiny window to react to phishing attacks as the average time between email being sent and the first person clicking on the link is a mere one minute and 22 seconds. Don’t forget to patch old vulnerabilities According to the report, “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.” It’s a mistake for any vulnerability management program to ignore the really old CVEs (Common Vulnerabilities and Exposures) since some successful cyberattacks in 2014 exploited vulnerabilities dating back to 1999. A good vulnerability management program should include a “broad coverage of the ‘oldies but goodies.’ Just because a CVE gets old doesn’t mean it goes out of style with the exploit crowd.” “Ten CVEs account for almost 97% of the exploits observed in 2014,” the report states. “While that’s a pretty amazing statistic, don’t be lulled into thinking you’ve found an easy way out of the vulnerability remediation rodeo. Prioritization will definitely help from a risk-cutting perspective, but beyond the top 10 are 7 million other exploited vulnerabilities that may need to be ridden down.” Yet Verizon pointed out that other than the CVSS (Common Vulnerability Scoring System) score, there is another attribute of a “critical” vulnerability. “If a vulnerability gets a cool name in the media, it probably falls into this ‘critical vulnerability’ label.” Examples from 2014 included Heartbleed, POODLE, Schannel and Sandworm – all of which were “exploited within a month of CVE publication date.” The lesson isn’t “Which of these should I patch?” The DBIR said the chart above “demonstrates the need for all those stinking patches on all your stinking systems.” 9 security incident categories and top causes of breaches The report handed the “Captain Obvious award” to the connection between state-affiliated groups and espionage, but cyberespionage was just one of the leading causes of confirmed data breaches in 2014; others in the top spot included Web application attacks, point-of-sale intrusions and crimeware. As Lucian Constantin pointed out, Verizon “again split security incident patterns into nine categories: crimeware, cyberespionage, denial of service, lost and stolen assets, miscellaneous errors, payment card skimmers, point of sale, privilege misuse and Web applications.” Public administration, financial services, manufacturing, accommodations and retail were the top five industries with confirmed data breaches in 2014. Breach cost per record We often hear bloated billion dollar figures as the true cost of cybercrime; on the eighth year of publishing its DBIR, Verizon not only took aim at the cost of breaches but also challenged ridiculously overblown breach cost estimates. For example, $201 per record was the estimated cost per record lost in a breach according to a 2014 Ponemon Institute study. Yet Verizon found the average costs to be 58 cents per record. Part of the problem exists in the way cost-per-record is derived; while smaller breaches cost more per record, larger breaches of 100 million or more records could cost as little as “just a penny or two” per record. Using a new breach-cost model, the DBIR “forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000, with 95% confidence.” Uncertainty of the real cost increases as the record volume increases, giving a wide range of predicted loss estimates as seen in the DBIR table. While optimists would look at the column on the left, “FUDmongers” would point at the highest cost per record breach estimates on the right. Mobile malware worries shouldn’t cause insomnia in cybersecurity pros When you add up the golden oldies being exploited, the cost per record in a breach and other interesting data in Verizon’s DBIR, might that contribute to why two-thirds of cybersecurity professionals suffer from insomnia? According to a Ponemon Institute survey, those cybersecurity pros “are being kept awake at night because they do not know the location of sensitive data;” they also worry over using less-trusted “temporary contract workers” and “migrations to mobile or cloud platforms which can often put data at risk.” For any pros stressing over mobile malware in a BYOD world, Verizon’s DBIR stated, “I got 99 problems and mobile malware isn’t even 1% of them.” Sure, there’s annoying stuff like adware that Verizon called “adnoyance-ware,” but in reality the number of mobile devices “infected with truly malicious exploits was negligible.” There was almost no iOS data-stealing malware detected and “out of tens of millions of mobile devices” analyzed, only .03% of Android devices were hit by info-stealing malware. So while you might see “mobile” threats hyped a lot at security conferences, “mobile devices are not a preferred vector in data breaches.” Related content feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for 22635.3500 for the Beta Channel and Build 26200 for the Canary Channel, both released on April 19, 2024. By Preston Gralla Apr 19, 2024 250 mins Small and Medium Business Microsoft Windows 11 news analysis Chasing business and partnerships, Apple goes APAC Apple CEO Tim Cook’s week-long visit to Indonesia, Vietnam, and Singapore highlights how the company continues to explore new opportunities in global markets. By Jonny Evans Apr 19, 2024 4 mins Manufacturing Industry Apple Vendors and Providers news Microsoft reminder: Support for Office 2016 and 2019 ends next year Older versions of Office apps and servers will no longer get security updates as of October 2025 — when Windows 10 also reaches end of support. By Matthew Finnegan Apr 19, 2024 3 mins Microsoft Office Microsoft Office Suites news Google consolidates AI teams into DeepMind to scale capacity The restructuring will simplify development by concentrating compute-intensive model building in one place and establishing single access points for PAs looking to take these models and build generative AI applications, Google said. By Gyana Swain Apr 19, 2024 4 mins Google Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe