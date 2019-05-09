article

A major motivating factor in triggering data breaches is money, plain and simple. Hackers want to make money from breaches, and this was a key finding in Verizon's 2019 Data Breach Investigations Report, released yesterday. The company studied 41,686 security incidents and more than 2,000 data breaches, and found that 71 percent of breaches were financially motivated. It also found that a large number of these attacks were social engineering attempts at c-suite executives. C-suite executives were 12 times more likely to experience a social engineering incident now than was found in Verizon's 2018 Data Breach Investigations report. A common form of these attacks is phishing, in which hackers disguise themselves as a trusted individual and take usernames, passwords, and credit card details.

Attackers are looking for the "quick buck," according to Gabriel Bassett, Senior Information Security Data Scientist at Version and author of the report. And these threats should be top of mind for small to midsize businesses (SMBs)—one of many SMB-related concerns currently being addressed during this week's National Small Business Week (NSBW) event, which is sponsored by the US Small Business Administration. According to the report (see the figure below), these threats should remain top of mind because 43 percent of breaches involved small business victims.

Why Social Engineering Threats Are Trending

Phishing is an attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity when sending electronic communications. These phishing attacks could include an email message containing a link to a fake website that looks like a log-in page from a cloud-based email provider. "It's really just designed to steal your credentials," Bassett explained.

Phishing attacks were a part of 78 percent of the cyber-espionage incidents the Verizon researchers studied. In the email, the attack could be addressed to a Chief Financial Officer (CFO) and appear to be from a Chief Executive Office (CEO) asking the executive to transfer a certain amount of money to an account. The message might say, "It's really important. Please just do it really quickly," Bassett said.

These attacks are called "business email compromises." Bassett explained that Verizon referred to them in the report as "financially motivated social engineering." Attackers target c-suite executives because they have the authority over large transfers of money in a corporation and may not read email communications carefully.

Phishing attacks "fool a lot of people, and so [SMBs] need to be aware that these kinds of things happen, and need to have secondary controls in place to verify any transfer of money or even payment of invoices," Bassett said. "It may just be an email with a fake invoice. If you're not paying attention, you may just pay it without realizing that it wasn't an actual legitimate invoice."

Financially motivated attacks were a key theme across various industries in the report. In fact, it was found that 68 percent of the data breaches in manufacturing were financially motivated, and 49 percent of the 352 incidents in manufacturing involved stolen credentials.

An interesting fact is that all is not lost when you have a data breach. The FBI Internet Crime Complaint Center (IC3) can help you recover funds stolen during a data breach. Half of incidents involving the compromising of business email brought a return or freezing of 99 percent of stolen funds, according to the report. "If you fall victim to one of these acts, you still have time to act," Bassett said. "If you quickly report to IC3, they may be able to help you."

Email attacks occur because they don't require much technical skill, according to Bassett. "You don't have to understand how computers work to ask someone for money," he said. "And so it opens up cybercrime to people who are maybe nontechnical but very persuasive."

Other Key Takeaways

Email attacks weren't the only interesting tidbits from Verizon's report. Here are four other key findings:

1) Along with financially motivated social engineering attacks, there are threats to e-commerce transactions, also known as "card not present" attacks. The rise in e-commerce attacks comes with a decrease in threats to in-person point-of-sale (POS) transactions. POS breaches have dropped by a factor of 10 since 2015, and web application breaches now have a 13 times greater chance to occur. Attackers may be deterred by the use of EMV chip cards, according to the report. POS attacks in the accommodation (hospitality) and food service industries in particular decreased from 307 in the 2018 Verizon report to 40 in this year's version (see the figure above).

2) More than 60 million data records were impacted by breaches affecting cloud-based file storage for businesses. Misconfigurations by system administrators cause these breaches and accidentally expose sensitive information. "It's happening more and more often, and it's one of those easy, quick breaches," Bassett said. "It doesn't take a lot of steps to go from finding a database to having it breached."

This type of breach could also occur when a handoff in personnel occurs. The next administrator working on a website may not realize that a database has been left public by the person who came before.

3) The Verizon report also revealed that 69 percent of attacks were carried out by outsiders compared with 34 percent of attacks performed by insiders. An exception to this trend was in health care, where insider threats were more prevalent compared with other industries. That's because there's often a curiosity in looking at electronic medical records (EMRs) of celebrities or people who medical professionals know.

"In health care, they have unscrupulous employees who might look at that information and realize that there's a value to it for health care fraud," Bassett said. He described a common trend in which attackers hand off the compromised data to someone in order to file fraudulent health insurance claims.

4) Verizon also found that six times fewer human resources (HR) professionals were experiencing data breaches. The report states that it doesn't have a reason for this drop besides the improved awareness in companies about threats to data. Attacks on HR can include an attempt to retrieve employee tax information so that hackers can file false tax returns and leave employees paying the bill, Bassett said.

Guarding Against Data Breaches

To protect against data breaches, especially phishing attacks, SMBs should use password managers to strengthen their identity management practices. Another recommended practice is to use multifactor authentication (MFA) to protect accounts from breaches. This practice involves using two or more forms of authentication to gain access to a system. They can include passwords, biometrics such as fingerprints, or tokens from a mobile phone.

To protect against attacks like phishing, Bassett also recommends that users who open unsolicited files from outside entities should use a sandboxed operating system (OS) of just a tablet and a keyboard to prevent the spread of malware. A sandbox is a restricted environment in which applications are isolated and where users may be prevented from deleting files and changing system information.

It may be common sense, but a key step is to provide a way for employees to report phishing emails and data breaches when they're detected. Moving fast is essential because sometimes there's a wave of clicks in a phishing email within a company that happens a week after they're sent.

"Reporting and clicks happen at similar rates for the first hour, but reports fall off while clicks continue to happen for the next week," Bassett said. "Use the reports you get in the first hour to delete the phishing emails from inboxes so people don't click it a day or a week later and restart the incident."

The bottom line: Stay vigilant, be suspicious of your email, and have a solid line of defense for spotting attempts at socially engineered fraud in your business.

This article originally appeared on PCMag.com.