Miscellaneous Errors
Please provide the information below to view the online Verizon Data Breach Investigations Report.
Thank You.
Gracias.
You will soon receive an email with a link to confirm your access, or follow the link below.
Gracias.
You may now close this message and continue to your article.
- 2024
- Summary of Findings
- Introducción
- Helpful Guidance
- Results and Analysis - Introduction
- Incident Classification - Introduction
- Incident Classification - System Intrusion
- Incident Classification - Social Engineering
- Incident Classification - Basic Web Application Attacks
- Incident Classification - Miscellaneous Errors
- Incident Classification - Denial of Service
- Incident Classification - Lost and Stolen Assets
- Incident Classification - Privilege Misuse
- Industries - Introduction
- Introduction to Regions
- Wrap Up
- Appendix
- Corrections
- Download the full report (PDF)
Resumen
Errors have increased substantially this year, possibly indicating a rise in Carelessness, although it may also reflect increased data visibility with new contributors. More than 50% of errors were the result of Misdelivery, continuing last year’s trend, while other errors, such as Disposal, are declining. End-users now account for 87% of errors, emphasizing the need for universal error-catching controls across industries.
What is the same?
We can always count on people making mistakes. The categories of mistakes they make are consistent year over year, and while some Error varieties have been decreasing, the ranking of frequency remains the same.
Frequency |
2,679 incidents, 2,671 with confirmed data disclosure |
|
Threat actors |
Internal (100%) (breaches) |
|
Data compromised |
Personal (94%), Internal (34%), Bank (14%), Other (12%) (breaches) |
I know exactly what I’m doing.
In our fast-paced and hectic world, it is easy to make the occasional mistake. The key is to make sure that those errors remain occasional and do not become habitual. Employees might be inching toward the latter state given the fact that we saw approximately five times as many Error-related breaches this year as we did in last year’s report. Does this substantial increase mean that incompetence and inattention to detail are booming?84 Possibly, but it is also, as stated earlier in this report, indicative of the generosity of our data-sharing partners. The greater the number of breaches that we examine, the higher these percentages become. More than 50% of errors in 2023 resulted from Misdelivery (sending something to the wrong recipient), as shown in Figure 46. This was also the No. 1 category in last year’s report.
Misconfiguration is the next most common error and was seen in approximately 10% of breaches. Misconfiguration has been on a downward trend85 for the last three years. There are a few possible explanations for this. Chief among them is that (thankfully) many systems are becoming more secure by default, making the practice of standing up new tech without reading the manual a less risky proposal. Other factors may include that security researchers are not spending as much time on finding these systems with their screen doors flapping in the wind, and, lastly, criminals may be using the same tools historically utilized by researchers to discover these errors and exploiting them to steal data, which would result in the attack showing up with a Hacking action rather than Error.
Classification errors, Publishing errors and Gaffes (verbal slips) are all relatively tightly packed in order of mention. Disposal errors continue to decline ever so slightly (as has been the general trend for the last several years) and accounted for just over 1% of the cases in this pattern. It is unclear whether more attention has been paid to this matter or employees have simply gotten better at burning records in a barrel in the parking lot.
Figure 47 shows one rather drastic change in this pattern related to actors: End-user accounted for 87% of errors as opposed to 20% in last year’s report, while System administrators dropped to only 11% (from 46% last year). This drop is in large part the result of the corresponding rise in Misdelivery—it takes a System administrator to misconfigure, but any old End-user can misdeliver. Power to the people!
Lastly, the Miscellaneous Errors pattern shows a relative diverse array of industry types (Figure 48), with Healthcare and Public Administration at the top (understandably, given reporting requirements) and a good showing from other industries such as Financial and Insurance; Education; and Professional, Scientific and Technical Services. This illustrates the important fact that carelessness is somewhat of a universal trait, so employers in any vertical should ensure that their controls will catch these kinds of errors early.
CIS Controls for consideration
Control data Data Protection [3] |
Secure infrastructure Continuous Vulnerability Management [7] |
Train employees Security Awareness and Skills Training [14] |
84 Look around at your coworkers, and use your best judgment to answer that question.
85 Not unlike most of civilization