Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study.
The “IBM Security Services 2014 Cyber Security Intelligence Index,” a report that includes cyber security data on close to 1,000 of IBM Security Services' clients located in 133 countries, indicates that “human error” is involved in more than 95 percent of the security incidents investigated in 2013.
The most prevalent form involves clicking on a malicious link found in a phishing message, while other forms include system misconfiguration, poor patch management, the use of default usernames and passwords – or using poor passwords – as well as lost laptops or mobile devices, according to the report.
“Protecting yourself or a company from a phishing attack is obviously not an easy task,” Nick Bradley, practice lead for the Threat Research Group at IBM, told SCMagazine.com in a Monday email correspondence. “If it were, phishing would not be as successful as it is. User education is a powerful tool…teach your employees that they should not provide personal information to unfamiliar requesters.”
The data examined by researchers belongs to organizations that have between 1,000 and 5,000 employees, and an average of 500 security devices deployed within their network.
Of the information collected on these enterprises, experts determined that the average organization experienced more than 91 million “security events” in 2013 – meaning a security device or application detected the event on the network – an increase of 12 percent from 2012.
Although there was a jump in the number of security events, those classified as “attacks,” which researchers define as malicious activity that attempts to “collect, disrupt…or destroy” resources within the network, dropped to an average of 16,900 attacks this year, compared to the 73,000 per organization in 2012.
According to the report, this is a result of evolved threat intelligence when analyzing the security events.