Experiencing a data breach purely from being internet-connected is quite rare. Hackers rely on users to open or install a malicious payload, according to Proofpoint
For all of the attention paid to software vulnerabilities—there are dozens, if not hundreds, published daily, only a handful of which are publicized in the news—the factor in question for security is « the human factor, » as Proofpoint states in their 2019 Human Factor Report, published Monday. The results make sense—while computers can automate tasks, they are not themselves autonomous.
« Instead of attacking computer systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to ‘click here’, » the report stated. « Whether attacking at a massive scale in large, indiscriminate campaigns, going after specific industries or geographies with more targeted campaigns, or seeking out a single person within an organization, attackers and their sponsors consistently found human beings to be the most effective vectors to infiltrate organizations and facilitate fraud and theft. »
Phishing is quite often the form these attacks take—generic email credential harvesting represented nearly a quarter of all phishing attacks, with Office 365 and financial institution phishing attacks rounding out the top three.
Likewise, impostor attacks—which Proofpoint uses as a catch-all term
for domain spoofing, look-alike domains, and other methods for « identity deception, » were at an all-time high in 2018 for engineering, automotive, and education fields, » likely reflecting easily exploited supply chain complexities in the first two and high-value targets and user vulnerabilities, especially among student populations, in the latter, » according to the report.
Despite conventional expectations, the highest-profile people within an organization are not necessarily the highest-profile targets for hackers. Proofpoint proposes the concept of « Very Attacked People » (VAPs) that are « either easily discovered identities or targets of opportunity like shared public accounts. » The report notes that 36% of identified VAPs could be found « via corporate websites, social media, publications, and more, » while only 7% of C-level executives who are also VAPs could be found online.
Corporate websites are the most frequent source of VAPs, at just over 40%, with « publicly available files » a close second. Social media services accounted for less than 5% of sources.
Likewise, the size of an organization is not a strong indicator of how likely it will be attacked. « While larger organizations may be attractive for their deep pockets, smaller companies may be more vulnerable due to the relative lack of controls and awareness, both of which create lucrative potential outcomes for threat actors, » the report stated.