View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Data Breaches: Fear the simple, not the complex

You must not underestimate the capabilities of phishing attacks.

By Tom Ball

It can at times seem as though we are all at the mercy of the mysterious, sometimes hooded, hacker figure that has us all under control before we have even tried to protect ourselves. Because of this it may still be surprising to some that the kind of cyber attack causing the world’s the greatest problems are also the most primitive.

Bewildered by the idea of the cyber grim-reaper using code and algorithms like black magic, we may have lost track of the truth that we can protect ourselves by remembering to alter and improve passwords, use multi-factor authentication, and not to click on suspicious links.

Cyber security

John Grim, Senior Security Specialist and RISK Team Leader, Verizon

This is not only the case for individuals, but it is also the case for major organisations, with the recent Verizon Data Breach Investigation Report being a case in point. John Grim, Senior Security Specialist and RISK Team Leader at Verizon, told CBR that the results of the report show a lack of awareness due to the effectiveness of basic attacks such as phishing.

The report included 1,935 data breaches spanning 84 countries, with a stand out finding being that humans are still enabling low tech attacks to wreak havoc within organisations.

“First and foremost, taking advantage of the human element is big with threat actors; taking advantage of people’s gullibility when it comes to sending phishing emails, taking advantage of people not paying attention,” said Mr Grim.

“Phishing is very big, the social engineering aspect of it, and you see that as a continued trend this year as well as we have seen over the previous years. So 43% of the data breaches involved phishing, and that was definitely a precursor for the financially motivated attacks, as well as the cyber espionage.”

The message of changing and adding complexity to passwords was also one that was shared by the Senior Investigative Response Consultant. Mr Grim said, “Credentials are still a big problem, 81% of the data breaches that we looked at this year in terms of data sets, the threat actors are leveraging those default passwords, those weak passwords, or those passwords that have been stolen.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Statistics from the Verizon Data Breach Investigation Report 2017


While it could be assumed that all organisations would have processes, procedures and standards for simple things like passwords and employees, these areas are continuing to be neglected, resulting in an influx of cyber attack instances and breaches.

On an even more simple level than phishing, financial pretexting was also found to be effective in gaining access to critical data by exploiting the low awareness and laziness of users who are vulnerable to cyber attack.

READ MORE: Cyber Awareness: Treat cyber security like drink driving

John Grim explained how this works and how prevalent it is, he said: “Financial pretexting is tricking somebody, like sending them a fake invoice, and having an executive sign off on it, and basically stealing money that way.”

“In terms of pretexting the top communication vector email, we’re seeing 88% there, and then we are seeing pretexting 10% of the time in telephonic or phone communications.”

With close to 90% of this most basic form of attack being sent in via email, it begins to raise the possible question as to whether email is still a suitable platform for transferring sensitive information. CBR recently spoke to a startup called Pushfor that is tackling the space, aiming to provide a secure solution for sending important information.

It must also be realised that once a hacker has utilised your own lack of preparation and awareness against you, it is only the beginning, as your network can then be infiltrated by malicious software, and held to ransom.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.