Small businesses accounted for 58% of the more than 53,000 information security incidents and 2,216 data breaches examined in the 2018 Verizon Data Breach Investigations Report. In the report, an incident is defined as, “a security event that compromises the integrity, confidentiality or availability of an information asset.” A breach is “an incident that results in the confirmed disclosure— not just potential exposure—of data to an unauthorized party.” Additional highlights from the report include:

  • The motivations of breaches were mostly financial (76%) followed by espionage (13%).
  • Most incidents involved Disruption of Service (DoS) hacking and the most common kind of breach was the use of stolen credentials.
  • The most compromised data included personal, payment, medical, and credentials.
  • Top assets involved in breaches included databases, POS terminals, POS controllers, web apps, desktops, and documents.

Of the more than 2,000 breaches recorded, 73% were perpetrated by outsiders to the organization. Half of all breaches were carried out by organized criminal groups. Although most breaches come from outside a firm, still 28% of breaches in the survey involved internal actors. A concerning discovery is that 68% of breaches took months or longer to discover. While the first action to initiate compromise of an asset can take only seconds or minutes, the discovery of a breach is most likely to take weeks or even months.

First mentioned in the 2013 Data Breach Investigations Report, ransomware has become the most prevalent style of malware this year (56%). Verizon analyzed more than 400 million malware detections across approximately 130,000 organizations and the median organization received 22 or fewer pieces of malware per year. Of those that saw a piece of malware, 37% never saw another. The most common malware vector is email (92.4%), followed by web browsers 96.3%).

Phishing Vector: Email

Most data breaches involve phishing and pretexting, which represent 98% of incidents and 93% of breaches. Based on the findings of this report, companies are most likely to experience phishing or pretexting through malicious emails, which continues to be the most common vector at 96%. Phishing involves sending a message, usually an email, with the goal of influencing the recipient to click on a malicious link or download a corrupt file. Pretexting is the creation of a false narrative to obtain information or influence behavior. More than 95% of the time, the goal of pretexting is financial. The motives for phishing, however, are split between financial (59%) and espionage (41%). Although phishing is prevalent, about 78% of people do not click a single phish all year.

Pretexting, in contrast to the majority of phishing incidents, does not rely on malware installation. Instead, pretexting is more about acquiring information directly from the actions taken by the target. The most prevalent targets of pretexting were employees who either worked in finance or human resources. Finance employees typically face emails that impersonate the CEO or other executives with phony invoices asking for wire transfers. The incidents targeting human resources staff most often go after the W-2 information of employees to file fraudulent tax returns and directly depositing any refunds to the attacker’s account. Financial pretexting rose from 61 incidents in the 2017 Data Breach Investigations Report to 170 this year. There was also an increase of 83 incidents targeting HR staff.

Though mobile devices are less likely to experience a breach, it is still possible. A common vector is the use of phishing or “SMiShing” that entice the mobile user to download applications outside of official platform marketplaces.

Breach Prevention

The Data Breach Investigations Report offers a few recommendations for preventing data breaches. They include:

  • Two-factor authentication. Passwords alone are not sufficient for security against a data breach. Companies are advised to implement two-factor authentication for web administers and, if possible, for all users in the organization.
  • Hygiene checklist. Verizon suggests implementing a routine checklist for general security hygiene, and regularly patch and update software.
  • Reporting mechanisms. Provide easy and accessible reporting mechanisms for employees and encourage them to report any incidents.
  • Exit programs. Restrict access privileges to only those who need it and have an exit program when employees leave to ensure access is closed.

Download the full report here.

For more information about the Cyber Readiness Institute, please contact Henry Vido, Program Director, at