Chris Novak, senior director of cybersecurity consulting at Verizon Business, said there’s at least one optimistic finding in his company’s 2024 Data Breach Investigations Report (DBIR), an annual study pointing out a year’s worth of breaches, extortion, ransomware, human deception, and other dark cyberactivity: More people are acing the phishing test.
While the report revealed rather alarming data, like a year over year near-tripling of breaches involving vulnerability exploits, the Verizon team also highlighted an increase in reporting of phishing incidents, even from those who clicked a suspicious link.
“The people who fell victim and the people who didn’t, the reporting from both of those indicate that it’s improved,” Novak told IT Brew.
Way more than one phish, two phish. Verizon’s investigation studied “30,458 real-world security incidents, of which 10,626 were confirmed data breaches,” from the time period of November 1, 2022, to October 31, 2023.
The DBIR also pulled from security-awareness exercise data contributed by Verizon’s partners throughout 2023. More than 20% of the represented users identified and reported phishing on a per-engagement basis. (Just over one in 10 users who clicked a phishing email reported the suspicious message.)
Verizon
Statistics from the 2024 Verizon Data Breach Investigation Report. (Shared with permission from Verizon.)
“This is another impressive improvement and one that we desperately need in order to catch up with the previous year’s increases in phishing and pretexting,” the Verizon researchers wrote.
Phishing and email-based pretexting, what Verizon defines as “social engineering when someone under false pretenses tries to get your personal information to gain access to your cash and credit,” led the cause of the DBIR’s reviewed incidents, accounting for 73% of breaches, according to the report.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Will this be on the test? At the reinsurance company Fortitude Re, VP and CISO Elliott Franklin conducts scheduled phishing tests, using tools from the email security company IRONSCALES. Franklin wants to make sure his employees have a report-first mindset, saying he’s even used incentives like small gift cards for those who notify IT of suspicious messages.
“I try to focus more with the team on rewarding you for the right behavior. Even if you fail, we want you to report it,” Franklin told IT Brew.
According to Verizon’s report, “the human element” factored into 68% of the total breaches; Novak defined this as avoidable action that could have prevented an incident from occurring.
Aaron Walton, a threat intel analyst from the security company Expel, sees way too many phishing emails to get overly assured about end-user response.
“We’re talking about millions upon millions of emails, and attackers generally have an infrastructure to send those out in massive storms. So, even when we do have higher rates of reporting, then it leaves the question: How many are not being reported?” Walton said.
Count Novak as an optimist for now, however.
“A lot of people tend not to report because they think somebody else has already done it, or they’re embarrassed because they fell victim to it,” he said. “But it’s improving, which is, I think, a good sign.”