One third of all data breaches included some element of social engineering, representing a sharp increase over previous years, according to the 2019 Verizon Data Breach Investigations Report.
More than 70 per cent of the breaches were financially motivated, while a quarter were motivated by the gain of strategic advantage. Nation-state or state-affiliated actors were found to have been involved in nearly 25 per cent of the breaches.
The report analysed nearly 42,000 security incidents, with more than 2000 confirmed data breaches. It found that 16 per cent of the breaches were of public sector entities, 15 per cent were in healthcare and 10 per cent were in the financial industry.
The report found that a third of all breaches included social engineering, a sharp increase on previous years.
“While hacking and malicious code may be the words that resonate most with people when the term ‘data breach’ is used, there are other threat action categories that have been around much longer and are still ubiquitous,” the report said.
“Social engineering, along with misuse, error and physical, do not rely on the existence of ‘cyber stuff’ and are definitely worth discussing,” it said.
Social engineering attacks were increasingly targeting C-level executives, Verizon Threat Research Advisory Centre senior security consultant Simon Ezard said.
“The finding that stands out for this year’s report is that C-level executives are more likely to be the target of social incidents and social breaches this year compared to last year’s report,” Mr Ezard told InnovationAus.com.
“Those findings correlate with the rising popularity of social engineering and business email compromise,” he said.
“They’re a good target for the attackers, there’s a lack of education maybe around cybersecurity for some targets, and they’re attractive because they potentially have critical infrastructure access. A successful attack might get you avenue to breach the organisation.”
Social engineering attacks were also targeted at executive assistants, according to BDIR principal consultant Chris Tappin said.
“Often in companies people will share an assistant, so if you compromise one EA’s laptop and access their emails, then they’ll have three or four senior email accounts,” Mr Tappin said.
“You’ll start seeing people going through email boxes and sending on more emails to gain more access to accounts, and start looking for financial approval emails. Many of these sorts of social engineering attacks also go unreported, he said.
“It’s the iceberg effect. The real scale of the problem of this nature of attack is that people don’t know how serious it is, and so they aren’t really investigating [the threat] and training staff.
“It’s not really a sexy topic within security, but the bigger threat is someone compromising a financial director’s email accounts and telling them to make a payment. That’s remarkably successful.”
To combat these threats, Australian businesses need to look to the basics, rather than racing to embrace new technologies or seemingly easy fixes, he said.
“You need to work out what the key data is, what the most value is to attackers and for most businesses that is financial transactions. It’s a serious thing. You can’t buy a box with flashing lights, it’s an enormous all round process of awareness training,” Mr Tappin said.
“When people we talk to have a security budget they want to spend it on high tech things to try to protect themselves from certain nations that they think will be compromising their services.
“But the solution is more boring, they need to go through policies, instant response plans and make sure that the backups are working properly.”
Local businesses have a long way to go in improving on these basics and the general awareness of their employees.
“We see people that have no idea, that haven’t got an IT person and have a completely flat network structure,” Mr Tappin said.
“It really highlights the difference between businesses in the same sector of the same size. One is doing security really well and one doesn’t have a clue, and it’s just a matter of time until they run into serious issues,” he said.
“There’s always more that can be done around awareness – people and processes are the ones we would want more focus on.”
There has been a sharp increase in the number of reports in Australia since the launch of the Mandatory Notifiable Data Breach scheme in 2017.
“It took a little while for organisations to step up to the Notifiable Data Breach scheme. I think initially some organisations were a little bit far behind in terms of being prepared and updating their plans, but that’s changed in the second half of last year and moving forward this year,” Mr Ezard said.