Risky clicks continue to keep too many hackable

cyber attack button

Meet the new hacks, same as the old hacks.

In the forthcoming 2016 Data Breach Investigations Report, Verizon's team breaks down more than 100,000 cybersecurity incidents, including 2,260 confirmed and closely examined data breaches.

There's a lot of continuity with last year's report: Same sparkling prose, same depressing content.

"A lot of trends and patterns that we've seen are continuations of what we saw last year," Dave Ostertag, global investigations manager with the Verizon Investigative Response team, told FCW.

Focusing on actual breaches -- meaning thieves got away with something, so an incident such as the IRS' Get Transcript attack, wherein scammers took sensitive taxpayer information out the system's front door, counts -- the Verizon team studied 193 confirmed incidents impacting the public sector. Targeted espionage, misuse of privileges and miscellaneous errors were the top causes of public sector breaches.

Targeted espionage often relies on phishing emails to establish a beachhead. Privilege misuse covers insider threats, coerced or otherwise. The miscellaneous errors include face-palm moments like databases being accidentally published on the open web.

In all cases, the best defense involves both educating and monitoring people.

"At the end of the day, keep up a healthy level of suspicion toward all employees," Verizon's report advises. "While we would like to think they will never give you up, let you down, run around or desert you, we simply can't (tell a lie, and hurt you)."

The continued importance of phishing emails in public sector attacks is especially telling.

"Phishing has continued to trend upward (like spawning salmon?) and is found in the most opportunistic attacks as well as the sophisticated nation state tomfoolery," the report notes.

Ostertag told FCW that last year, as in years prior, a stubborn percentage of government employees will click on suspicious email links, despite organizational exhortations against risky clicking.

He advised running tests and, if an employee fails by clicking a meant-to-look-suspicious link, immediately launching them into a training module, rather than waiting days or weeks to address the failure.

Other important security steps that government agencies especially need to take: keeping endpoints protected and updated, shoring up email protections, guarding networks with multi-factor authentication and segmentation and logging everything religiously.

And in all things, vigilance is crucial.

"Rome wasn't built in a day," Verizon's report notes, "but data breaches frequently were."

With ever-faster breaches and exfiltrations of sensitive data, government security folks need to throw down every obstacle they can to slow the adversary who breaches the walls, and watch carefully to detect when the breaches come.

Verizon's 2016 Data Breach Investigations Report is due to be publicly released April 27 here.

About the Author

Zach Noble is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.