Human error and simple phishing attacks are to blame for more public sector data breaches than sophisticated hackers.
This is one of the takeaways for federal cybersecurity officials from Verizon’s 2016 Data Breach Intelligence Investigations Report. Released to the public on Wednesday, the report often serves as a bellwether for tracking changes in how data breaches occur and what type of attacks are being used.
This year, the company examined over 100,000 security incidents (defined as an event that compromises the integrity, confidentiality or availability of an information asset) and 2,260 confirmed data breaches (an incident that results in the confirmed disclosure of data to an unauthorized party) in 82 countries.
Of those incidents, the public sector was the runaway leader, with 47,237 incidents and 193 breaches — but report authors caution that doesn’t mean their cybersecurity is the worst.
According to Verizon, 99 percent of public sector security incidents can be attributed to one of five categories: Crimeware, miscellaneous errors, privilege misuse, stolen assets and what the company calls “everything else.”
In an interview, Verizon Senior Information Security Data Scientist Gabe Bassett said the “everything else” category is mainly hacks that exhibit botnet-type behavior, like automated phishing attacks. Bassett said the figures show that most of the time, agencies are not facing elite teams of cyberspies, but run-of-the-mill online crooks who hope to score a few hits by launching a huge number of automated attacks.
“The attackers usually aren’t some Bobby Fischer, AlphaGo type, they are just a normal person most of the time,” Bassett said. “They have a great opening move, but it’s just a guy doing his job.”
Bassett also said acts like “misdelivery” — sending data to the wrong person or poor credential checks — accounting for a good chunk of the incidents Verizon tallied in the report.
And the large number of incidents and breaches the report tallies doesn’t mean the public sector has worse cybersecurity than other sectors. Bassett says the company has so much incident data from the public sector because of mandatory reporting requirements that typically don’t apply in the private or non-government sectors.
“I don’t think the government makes more errors or loses more assets than anyone else,” he told FedScoop. “I think [the public sector] has reporting requirements and actually has to be honest about what is happening. The same things are happening in other industries. It’s just that the government is the one reporting it.”
Be it a nation-state attack or a simple phishing campaign, Bassett said what cybersecurity officials can take from the report is that even basic measures, such as implementing two-factor authentication or doing a better job of cataloging assets, can go a long way to hardening defenses. After spending nearly a decade inside the Pentagon, Bassett understands how paperwork can serve as an impediment to actually getting security initiatives off the ground.
“It’s so easy to get bogged down in the standard paperwork and the repetitive process of signing accreditation and building plan of action and milestones for how we are going to fix things. It’s easy to say ‘Look, I just can’t get anything done,” Bassett said. “The reality is the bad guy isn’t that omniscient attacker that can do anything they want and we can’t do anything ourselves. Even the most basic person who is doing the simplest job in the government can make a difference and push for that initiative that makes it a little harder for the attacker.”
The full report is available on Verizon’s website.