Human error tops causes of data breaches, says Verizon report

Share post:

Human error continues to be a leading factor in data breaches, according to Verizon’s annual analysis of cyberattacks around the world. That was one of the conclusions of the 2022 Verizon Data Breach Investigations Report, which looked at 23,896 incidents last year, 5,212 of which were confirmed breaches. The data came from 87 cybersecurity vendors, researchers and consultants. Eighty-two per cent of breaches in 2021 involved the human element, the authors found. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” the report says. Mistakes alone were responsible for 14 per cent of breaches. “This finding is heavily influenced by misconfigured cloud storage,” the report adds. It doesn’t say explicitly, but this category would include misconfigured Amazon storage buckets. Among the highlights (or lowlights, depending on your point of view):
  • ransomware has continued its upward trend, making up 25 per cent of breaches, an almost 13 per cent rise over 2022. That’s a rise as big as the past five years combined, the report says.”It’s important to remember that, while ubiquitous and devastating, ransomware by itself is, at its core, a model of monetizing an organization’s access,” the report adds. Blocking the abuse of credentials (stolen or brute-forced), keeping employees from falling for phishing, keeping attackers from exploiting vulnerabilities and blocking botnets are the best ways to thwart ransomware;
  • roughly 4 in 5 breaches can be attributed to organized crime, with external actors approximately four times more likely to cause breaches in an organization than insiders;
  • supply chain attacks were involved in 61 per cent of incidents last year. “Compromising the right partner is a force multiplier for threat actors,” the report noted. One of the best-known supply chain attack in 2021 was the compromise of Kaseya’s VSA platform;
  • system intrusion was the leading cause of 1,638 breaches with confirmed data disclosure in Canada and the U.S.. That was followed by social engineering, and basic web application attacks. And globally, 62 percent of system intrusion incidents came through an organization’s partners;
What should CISOs be doing? Of the Center for Internet Security’s 18 Critical Security Controls, emphasize these five, says the report:
  • Data Protection. This control pertains to the processes and technical controls to identify, classify and securely handle organizational data in all its form. This control helps prevent organizations from accidentally exposing their data through email or misconfigurations;
  • Secure Configuration of Enterprise Assets and Software. This control contains safeguards focused on engineering solutions that are secure from the outset, as opposed to tacking them on later. It offers substantial benefits when it comes to reducing error-based breaches such as misconfiguration and loss of assets by enforcing remote wiping abilities on portable devices;
  • Account Management. This control is very much targeted toward helping organizations manage the access to accounts and is useful against brute force and credential stuffing attacks;
  • Access Control Management. This Control manages the rights and privileges of users and enforces multifactor authentication on key components of the environment, an important defense against the use of stolen credentials;
  • Security Awareness and Skills Training. Considering the prevalence of errors and social engineering in the data, the report’s authors say it is clear that security awareness and technical training are a great place to put some dollars in order to help support your team against a world full of cognitive hazards.
The post Human error tops causes of data breaches, says Verizon report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Google’s Gemini AI caught scanning private Google Drive documents without permission

Google's Gemini AI has come under fire for scanning private PDF documents in Google Drive without user consent....

Massive AT&T breach in 2022 one of the largest private communications data breaches

AT&T announced a significant data breach affecting nearly all of its mobile phone customers, marking one of the...

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways