User mistakes aid most cyber attacks, Verizon and Symantec studies show

When a cyber security breach hits the news, those most closely involved often have incentive to play up the sophistication of the attack.

If hackers are portrayed as well-funded geniuses, victims look less vulnerable, security firms can flog their products and services, and government officials can push for tougher regulation or seek more money for cyber defenses.

But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

These conclusions will be in the minds of executives attending the world's largest technology security conference next week in San Francisco, a conference named after lead sponsor RSA, the security division of EMC Corp.

In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry's term for trick emails.

Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90% of the time, Verizon found.