Data breaches are still far too easy to pull off thanks to avoidable security failings, consultancy Verizon has concluded in its ninth annual Data Breach Investigations Report (DBIR) which draws on the firm's analysis of 2,260 real-world breaches in 85 countries during 2015.
In years gone by, Verizon's report -- still the most authoritative analysis of global data breaches -- was about the swelling volume of incidents but as more and more have been publically disclosed that's almost become a secondary issue. These days, the relevant questions are whether organisations are doing enough to stop them and whether enough of them even care.
Data breaches are now routine, a global condition consumers and companies simply accept as part of life. As if to ram that point home, on the day the company started briefing journalists about the DBIR, a security researcher reported finding an exposed database of 93 million Mexican voters on an Amazon web services server.
Ninety-three million people breached. Security watchers shrugged despite the possibly serious consequences of leaking voter numbers, names, addresses and birth dates in a country infamous for kidnapping.
Data breaches 2016 - the same problem everywhere
Most of the data breaches studied by Verizon entered its log from the US, the country where most of its customers are. However, the firm is adamant that the patterns that underlie breaches are universal across the world, across sector and across different sizes of organisation. Assuming that one country or sector is an exception to the rule would be unwise.
"We see the same things everywhere. The things we see in the US we see in EMEA and APAC," says Verizon's managing principal for investigative response, Laurence Dine.
Phishing is too easy
It's easy to get lost in numbers but some unsettling facts jump out of Verizon's report. More than nine in ten successful data breaches take minutes to execute but weeks or even months to be uncovered. That's a crazy, unbridgeable gap for defenders to close under any circumstances but it's why this is the case that is more interesting.
Verizon documented nearly 10,000 incidents (including 916 confirmed data breaches) where the attack used a simple phishing attack, almost all using emails where the recipient inside the victim organisation clicked on a malicious ink or attachment. The possibly subtle irony of this is not lost on the researchers - the attackers are able to reach out to employees more effectively than the security team at the organisations they work for. Verizon estimates that around 30 percent of phishing messages are opened of which 12 percent click where the attackers want them to.
After being around for a decade or more as an everyday technique, phishing still works. A generation of filtering systems, gateways, anti-malware software, and endpoint monitoring systems seem not to have made much difference. Organisations are getting owned and it's hard to be optimistic about this trend when Verizon compiles its 2016 numbers for next year's DBIR.
Sign up for Computerworld eNewsletters.