Breaking News Emails
Email fails are common, but for companies, they can be expensive and dangerous mistakes.
The single biggest cause of data breaches in 2014 was "miscellaneous errors," like a staffer emailing sensitive information to the wrong email address, according to Verizon's annual Data Breach Investigations Report released Tuesday.
Those "errors" accounted for 29.4 percent of data breaches in 2014, up from 25 percent in 2013, Verizon said. Some of those errors are caused by problems like a computer malfunction or a misconfigured system -- but 60 percent of the time, it's a relatively simple user mistake.
The Verizon researchers (who frequently take an irreverent tone in writing the report, with this year's entry including phrases like "FTW" and an "All About That Bass" joke") divided these common mistakes into three categories.
- "D'oh!": sensitive information sent to incorrect recipients made up 30 percent of the errors that led to a data breach
- "My bad!": publishing non-public data to public web servers totaled 17 percent of error incidents
- "Oops!": insecure disposal of personal and medical data comprised 12 percent of errors
"At this point, take your index finger, place it on your chest, and repeat 'I am the problem,' as long as it takes to believe it. Good — the first step to recovery is admitting the problem," the Verizon researchers wrote.
Beyond mistakes that come from the users themselves, internal staffers can also unwittingly assist in a cyberattack by clicking on malicious links and downloading malware contained in emails from senders that look legitimate.
Unfortunately, last year about 23 percent of recipients opened these "phishing" emails -- which usually try to deliver malware onto a computer or convince a user to give up passwords -- and 11 percent clicked on attachments, Verizon said.
It doesn't take attackers long to "get that foot in the door," Verizon said. Two of the company's partners sent 150,000 phishing-style emails as part of a test, and the median time-to-first-click clocked in at an average of just just 82 seconds.
"With users taking the bait this quickly, the hard reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events," Verizon wrote. Companies need to educate their employees, as it seems even wider awareness of data breaches hasn't curtailed poor email practices.
Verizon noted that 2014 marked the entrance of the term "data breach" into "the broader public vernacular," with attacks on Home Depot, Sony, eBay and other major brands dominating headlines. Security flaws like Heartbleed even received their own catchy names and logos, Verizon noted, and high-profile companies finally began to realize they may be vulnerable to cyberattacks.
Earlier on Tuesday, security firm Symantec released its own annual report that showed nearly one million new pieces of malicious software were created every day in 2014.
"The real sign of the times, however," the Verizon researchers wrote, "was that our moms started asking, 'Is that what you do, dear?' and seemed to finally get what we do for a living."