Verizon's Data Breach Digest for 2017 once again has employees "front and centre" in the battle against cyber breaches.
It's no secret that cyber security incidents are getting more complex. New ways of working including mobile and cloud use are increasing the "attack surface" for many organisations, making breaches harder to detect, let alone counter. And new hacking technologies such as dormant ransomware and signatureless viruses add to the headaches faced by security officers.
But it is people - IT workers, contractors, supplier employees, professional advisors, board directors, and employees generally - who are, directly or indirectly, the cause of most major breaches and who, almost by definition, are therefore a big part of the solution.
Verizon's second Data Breach Digest outlines the details of 16 very different breaches, bringing to life the reality of how breaches happen. Each of these stories is told from the perspective of a different stakeholder such as corporate communications, compliance or HR. And each of these stories either represent a threat that is either very common (ten of the cases represent 60% of the 1400 cases investigated by Verizon over the last 3 years) or one that is highly damaging.
The report groups the cases into four areas: cases where individual people play a major role; cases where an insecure device (or a device used insecurely) acts as a conduit for an attacker; cases where the configuration of IT systems has been weakly implemented; and cases where malicious software has simply overcome the defences. All of the cases are based on real-life incidents although unsurprisingly they are anonymised.
To give a flavour of the document, one particularly interesting case involves a university campus that suffered an attack on its network of Internet of Things devices including vending machines and lampposts. Weak passwords meant that the attackers were able to take over substantial parts of the network of IoT systems and in effect act as an internal DDoS attack, causing serious damage to the speed of internet connections on the campus. The hackers weren't so clever though. While they were able to break the passwords used on the IoT devices and then change them, they send these changed passwords around the network in an unencrypted form - enabling the defenders to regain control by changing the passwords again.
Each case is easy to read and will only take 10 minutes or so to study properly. Typically they start with an introduction where the nature of the incident is described. The case then explores the response to the incident and how it was managed. And to finish, practical tips about how to mitigate and respond to similar incidents are given.
This is a fascinating document. Senior executives should print off the different scenarios and take one home with them each night to read in the bath. It will open their eyes to the risks they face and give them practical ideas about how best they should go about managing those risks.
Verizon's second Data Breach Digest (2017) is available to download here.