Data breach update: It's bad and not getting better

John Lande, Iowa Banking Law, Iowa Cybersecurity Law, Dickinson Law Firm, Des Moines Iowa

Posted on 05/09/2017 at 08:23 AM by John Lande

Verizon recently released its annual Verizon Data Breach Investigations Report (“DBIR”). The DBIR contains an exhaustive analysis of the latest cybersecurity threats facing organizations. The DBIR has a number of important statistics for organizations of all kinds to consider when assessing their cybersecurity risk. 

The DBIR notes that 51% of data breaches involved the installation of malware. Of the attacks involving malware, 66% of the breaches began after users opened malicious email attachments. This blog recently covered incidents involving employees whose email practices led to six-figure losses. The DBIR makes clear that this kind of attack still accounts for a large percentage of data breaches. Organizations need to make sure that they are making an effort to minimize the risk posed by employees opening malicious email. 

Social engineering attacks were also prevalent: fraudsters used social engineering in 43% of all breaches. Phishing emails accounted for 93% of all social engineering attacks, and 28% of these phishing schemes targeted specific employees. This blog has extensively reviewed cases involving employees who were tricked into providing fraudsters confidential information or money. 

Social engineering is a particularly challenging attack vector to defend because it is not possible to use technical solutions—hardware and software—to totally eliminate the threat. That means organizations must rely on their employees’ vigilance to detect phony emails. On that issue, the DBIR does not inspire confidence: 1 in 14 users were tricked into opening a malicious attachment or link, and 25% of those who opened a malicious link or attachment did so more than once. 

If there is anything reassuring about the DBIR, it is that a handful of attack vectors account for the vast majority of each industry’s cybersecurity threats. For example, in the financial services industry payment card skimmers, web application attacks, and denial of service attacks account for 88% of all data breaches. That means a financial organization, while not immune to other kinds of cyberattacks, can focus its energy and resources on defending against the most prevalent kinds of attack. 

Organizations should identify where they are most vulnerable to cybersecurity threats, and design security procedures and processes to mitigate the areas of greatest risk. As with any risk, it will never be feasible to totally eliminate cybersecurity risk. However, layered defenses involving hardware, software, organizational controls, and insurance coverage can minimize the risk that an organization will experience a loss. 

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

- John Lande


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.

There are no comments yet.
Add Comment

* Indicates a required field