When a cyber security breach hits the news, those most closely involved often have incentive to play up the sophistication of the attack.
If hackers are portrayed as well-funded geniuses, victims look less vulnerable, security firms can flog their products and services, and government officials can push for tougher regulation or seek more money for cyber defenses.
But two deeply researched reports released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.
In the best-known annual study of data breaches, a report from Verizon Communications found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing.
Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.
"There's an overarching pattern," Verizon scientist Bob Rudis said.
Attackers use phishing to install malware and steal credentials from employees, then use those credentials to roam through networks and access programs and files, he said.
Verizon's report includes its own business investigations and data from 70 other contributors, including law enforcement. It found that while major new vulnerabilities such as Heartbleed are being used by hackers within hours of their announcement, more attacks last year exploited patchable vulnerabilities dating from 2007, 2010, 2011, 2012 and 2013.
Another annual infosec report, released today by Symantec, found that state-sponsored spies also used phishing techniques because they work and because the less-sophisticated approach drew less scrutiny from defenders.
Once inside a system, however, the spies wrote customised software to evade detection by whatever security programs the target has installed, Symantec said.
"Once I'm in, I can do what I need to," Robert Shaker, an incident response manager at Symantec said. The report drew on data from 57 million sensors in 157 countries and territories.
Another section of the Verizon report could help security executives make the case for bigger budgets. The researchers produced the first analysis of the actual costs of breaches derived from insurance claims, instead of survey data.
Verizon said the best indicator of the cost of an incident is the number of records compromised, and that the cost rises logarithmically, flattening as the size of the breach rises.
According to the new Verizon model, the loss of 100,000 records should cost roughly US$475,000 on average, while 100 million lost records should cost about US$8.85 million.
Though the harder data will be welcome to number-crunchers, spending more money cannot guarantee complete protection against attacks.
Old exploits still successful
The Verizon report also revealed very few of the vulnerabilities exploited in 2014 were new that year.
It found the largest number of successful exploits last year used vulnerabilities that had ben both identified and patched in 2007.
Additionally, attackers managed to identify 30 vulnerabilities from 1999 that were still open.
"Apparently hackers really do still party like it's 1999," Verizon stated in its report.
"Just because a CVE [common vulnerability and exposure] gets old doesn't mean it goes out of style with the exploit crowd."
Similarly, the Symantec report found that the growing amount of time vendors are taking to create and release patches after a flaw has been discovered is being increasingly exploited by attackers.
Attackers are leaping on zero-day vulnerabilities - flaws that the vendor is unaware of - which have been disclosed publicly before being reported to the vendor, Symantec said.
"In 2014, it took 204 days, 22 days and 53 days for vendors to provide a patch for the top three most exploited zero-day vulnerabilities," Symantec wrote.
"By comparison, the average time for a patch to be issued in 2013 was only four days."