Cybersecurity responders are falling far behind the speed of the hackers they defend against, according to Verizon’s 2016 Data Breach Investigations Report.

“Attackers are getting even quicker at compromising their victims,” the report said. It found that 84 percent of security compromises took days or less. By contrast, only about 23 percent of the discoveries of those breaches took days or less, and the disparity between these two numbers has only increased over the past few years.

The report compared the defense against these breaches to the situation of a hapless and ill-prepared soldier, saying, “The soldier is told to guard a certain hill and to keep it at all costs. However, he is not told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike. To ride this analogous horse a bit further, the soldier is given a hand-me-down rifle with only a few rounds of ammunition to fulfill his task.”

The report also found that the number of vulnerabilities closed versus the number of new vulnerabilities found was at a standstill at best. Essentially, the best that is being done right now is keeping the number of available exposures the same.

“We confirmed across multiple data sets that we’re treading water–we’re not sinking in new vulnerabilities, but we’re not swimming toward the land of instantaneous remediation and vuln-free assets,” the report said. It recommended that companies establish a process that addresses the most targeted vulnerabilities, plan mitigation strategies when those vulnerabilities cannot be removed, and employ venerability scanning to identify new services and devices.

Companies are also finding it hard to keep up with increasingly popular techniques like phishing, which trick people with server access to click on malicious links or approve sketchy transactions. In large part, this is due to the fact that employees aren’t reporting it when it happens.

“In approximately 636,000 sanctioned phishing emails, we captured whether the email was reported. Approximately three percent of targeted individuals alerted management of a possible phishing email,” the report said. This is particularly problematic when compared with the 12 percent of people who clicked on the links in the phishing email, meaning that successful attacks outnumber reports 4 to 1.

The report recommended that companies filter their incoming emails to keep employee mistakes out of the picture, establish awareness training and secondary protection methods, and remain constantly aware of potentially suspicious traffic.

These trends are especially important for the public sector, as it accounted for 47,237 of the total 64,199 reported breaches in 2015, or over 73 percent. However, the public sector accounted for only about 8 percent of incidents with confirmed data loss.

Within this sector, Verizon found four major reasons for data breaches: miscellaneous errors, insider and privilege misuse, physical theft and loss, and crimeware. Of those, errors and the misuse of privilege were the most common.

“Human error and intentional abuse of privilege account for almost two-thirds of public sector security incidents in this year’s Data Breach Investigations Report (DBIR). In many cases, the risk from these incidents could be significantly reduced with the right controls and processes,” the report said.

Regardless of the source of the data exposure, organizations were rarely prepared to respond in an adequate amount of time.

“Data held by public sector organizations was compromised in just seconds in 76% of cases—due to the prevalence of misuse, loss and error, which basically take place immediately. Once a public sector organization was compromised, attackers were able to exfiltrate data in hours or less 76% of the time,” the report said. “While the majority of incidents were discovered in hours or less, it took public sector organizations longer to discover breaches where data was stolen. Only 24% of breaches were discovered in hours or less.”

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.