It's tempting to view security breaches as the products of mastermind hackers, but a massive report released today reveals the sad reality. Most of the time, breaches are the result of people falling for plain old trick emails.
Verizon's Data Breach Investigations Report is one of the biggest of its kind. It's an analysis of some 80,000 security incidents, and more than 2,000 breaches all over the world. It's produced in conjunction with a number of experts in the security and data business.
Among the fun facts in the report, the number of phishing attacks is staggering: The report says two-thirds of electronic espionage cases can be traced back to phishing.
For those unfamiliar, phishing is the art of tricking people to handing over their credentials or access to protected systems. Phishing campaigns tend to be huge email blasts that contain either links or attachments. You click a link that takes you to a website that looks like your bank's, and enter your credentials without thinking. Or in the case of a more sophisticated attack, you click a link or attachment which installs a piece of malware which compromises a system or network.
A lot of people are falling for them: A study of 150,000 phishing emails by Verizon partners found that 23 per cent of recipients open phishing messages, and 11 per cent open attachments. Is that not crazy? One in 10 people opens an attachment when they have no idea what they're opening.
And it happens fast: It takes an average of 82 seconds from the time a phishing campaign is launched, until the first sucker bites. And this isn't just phishing in people's Gmail accounts. It's happening on sensitive business and government accounts where the targets should theoretically know better.
Some of the old-style sources of security breaches like malware keyloggers have tapered off in recent years, but phishing remains a huge problem (though a phishing campaign could be aimed at getting unwary victims to install keyloggers). The only solution seems to be education. 50 per cent of victims open attachments or click links in less than hour, which is faster than administrates can detect the problem.
Come on people — don't click that damn link, or open that attachment, no matter how tantalising it looks. Especially if it's from a stranger.