top of page

Human error among top ransomware security risks

The release of Verizon’s 2022 Data Breach Investigations Report (DBIR) has highlighted trends and common impacts of cyber-attacks over the past year, with 82% of the breaches analysed involving a “human element”.

Since the annual report from Verizon began in 2008, the trends each year have tended to be similar. However, the authors cite the COVID-19 pandemic, and the invasion of Ukraine territories by Russia troops, as likely reasons that “financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”


One key finding of the report demonstrated that ransomware was responsible for almost 70% of all malware breaches in the past 12 months. The full report from Verizon’s can be viewed here.


It cites that ransomware has seen a 13% increase this year (as large as the previous five years combined), since threat actors do not need to take time searching databases for financial tools such as customers credit cards or banking details to make money. They simply force the organisations to hand over the funds in the form of a ransom, or risk losing their data.


Additionally, Supply Chain attacks are reported to be responsible for 62% of system intrusion incidents throughout 2022.


Verizon highlight the fact that these attacks can result in a large number of victims due to the spread of the system intrusion from the initial organisation targeted before travelling quickly to its customers, partners and suppliers.


In terms of looking at who is ultimately responsible for these compromises, the report identified that erroneous human actions were responsible for 13% of breaches. Furthermore, researchers found that 82% of the breaches analysed for the DBIR involved a “human element”, from the use of stolen credentials, phishing, account misuse, or simply an error. As such, it is almost certain that people continue to play a substantial role in incidents and breaches.


With the recent rise in spam emails targeting organisations and the increase in advance persistent threats (APTs) groups efforts to attack authorities world-wide, human interaction on force systems needs to form an integral part of cyber risk education.


Threat actors are aware that human interaction with computers is unavoidable and therefore, aim to exploit it for their own gain.


The use of phishing tactics where users are tricked into clicking on links in emails, text messages (smishing) or divulging information over the phone (vishing) continue to be a key initial access points for ransomware operators.


Social engineering principles also continue to be utilised to make these attempts more believable. As such, organisations are encouraged to continue implementing education on risks posed by these attacks and how they can be prevented.


How we can help


We offer educational awareness sessions, or security awareness training, which covers the human error element mentioned above. For example, we talk about how to spot phishing, smishing and vishing attempts, and offer either an ‘off the self’ session or a tailored session to meet your business needs.


Find out more about our security awareness training, and read our blogs below on why it's so important that your staff are educated enough to decrease the risk of human error harming a business.



 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

 

Comments


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page