chat
expand_more

Verizon 2024 DBIR: Employees Remain Weakest Link in Cybersecurity Chain

Verizon's 2024 Data Breach Investigations Report reveals the role of employees in creating opportunities for threat actors to infiltrate organizations.
May 9, 2024

Employees are undoubtedly the cornerstone of your enterprise’s success. They also represent the Achilles' heel of its security. The harsh truth of cybercrime is that it's just a numbers game. If the right solutions aren’t in place, protecting the organization from email attacks requires employees to correctly identify threats 100% of the time—which simply isn’t feasible.

Last week, Verizon released its 17th annual Data Breach Investigations Report, which explores the perpetrators, tactics, and targets of cybercrime. Building on the trends we’ve seen in recent years, the data revealed how big of a role the workforce plays in creating opportunities for attackers to compromise an organization—and the ways threat actors are capitalizing on those opportunities.

The Human Element Is a Component in 68% of Breaches

Note: Verizon adjusted its human element metric this year to exclude malicious insiders, which lowered the number slightly from last year.

The vast majority of cybercrime today is successful because it exploits the people behind the keyboard.

Rather than focusing on technical vulnerabilities, modern, socially engineered attacks rely on manipulation and deceit to convince employees to share sensitive data, provide login credentials, and update bank account information. Verizon found that nearly 70% of all breaches include the human element, with people being involved either via unintentional error, use of stolen credentials, or social engineering.

Further, phishing tests revealed that the median time for an employee to click on a malicious link after opening a phishing email is 21 seconds, and then just another 28 seconds for the recipient to provide the requested information. In other words, employees can be tricked into divulging sensitive information via a phishing attack in under a minute.

Social Engineering Attacks Account for 30% of All Breaches

While the incidence of business email compromise (BEC) did not dramatically increase the way it did between 2021 and 2022 (when it nearly doubled year-over-year), it remains the top type of social engineering incident included in the DBIR.

BEC was also the tactic used in 25% of all financially motivated attacks and, together with phishing, accounted for almost 30% of all breaches analyzed by Verizon.

By relying on text-based communication and opting to compromise people instead of networks, attackers can more easily circumvent conventional security measures. This is because traditional security solutions lack the functionality to understand the subtleties and nuance of language and human behavior, making it difficult for them to distinguish between genuine and malicious intent.

Breaches Due to Compromised Vendors Jump Nearly 70%

Although compromising employees remains the most direct way for threat actors to infiltrate your organization, every vendor your enterprise works with also represents a potential entry point.

If a vendor hasn’t implemented sufficient security controls and a threat actor successfully compromises an account in their ecosystem, the bad actor can then use that account to launch an attack on your organization. And because any messages would be sent from a legitimate account with no history of malicious behavior, the emails would bypass any signature-based security solution. Further, the targeted employee would have no reason to believe any requests were fraudulent since they would appear to be from the actual vendor.

According to Verizon’s research, 15% of breaches were influenced by supply chain interconnection—a 68% year-over-year growth. The fact is that attackers will always choose the path of least resistance. Unfortunately, this means that an organization’s security is only as strong as its weakest vendor.

Stopping Attacks That Exploit Human Behavior

Security awareness training is undeniably important, and every enterprise should commit to educating its employees about the threats targeting its organization. However, the most effective way to prevent a data breach is to ensure employees can’t engage with malicious emails in the first place.

An AI-native, API-based email security solution utilizes behavioral data to understand the behavior, communications, and processes of every employee and vendor across the entire organization. Then, it uses computer vision and natural language processing (NLP) to examine email content and identify anomalous activity, enabling it to detect and block threats—before they reach employee inboxes.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.

Schedule a Demo
Verizon 2024 DBIR: Employees Remain Weakest Link in Cybersecurity Chain

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B F500 Packaging Solutions Provider Proofpoint Replacement Blog
A Fortune 500 packaging leader boosted threat detection 20x and saved 6,500+ hours annually by replacing its Proofpoint SEG with Abnormal’s AI-powered solution.
Read More
B E Rate
Discover how AI-powered email protection ensures a secure digital learning environment.
Read More
B Healthcare Industry Attack Trends Blog
Targeted attacks on the healthcare industry are on the rise. Explore the latest threat trends and learn how to protect your organization.
Read More
B URL
Explore how attackers exploit rewritten URLs to gain unauthorized access, highlighting traditional security vulnerabilities and the need for modern tools.
Read More
B SOC Experts
Explore insights from SOC leaders on the evolving landscape of social engineering threats, highlighting human vulnerabilities and strategies to enhance cybersecurity.
Read More
B Cybersecurity Awareness Month Engage Educate Empower
Happy Cybersecurity Awareness Month! Make sure your workforce is prepared to combat emerging threats with these 5 tips.
Read More