It would take hours to read through the 100+ pages of the Verizon’s Data Breach Investigations Report (DIBR) which takes the pulse of the security landscape for companies and organisations every year.
The 2020 report is extensive and exhaustive. It analyses more than 32,000 security incidents and confirms 3,950 of them as breaches, examining the profiles of the breaches, what caused them and how they can be prevented. The Verizon analysis covers 16 industries in four regions of the world, covering a wide range of businesses from finance and insurance to hospitality and manufacturing to healthcare.
By scouring malware types and new emerging delivery methods for attack, the Verizon Data Breach Investigations Report provides a thorough snapshot of the state of play for industries and what threats and challenges need to be addressed.
It’s a landscape that’s constantly evolving. In just one example, as businesses have moved to the cloud, attackers have followed with 43% of breaches involving web apps, more than double the figure from last year.
Companies with misconfiguring errors in their cloud systems have left themselves open to these attacks too with the DBIR noting that since 2017, misconfiguring errors have been increasing. Such errors make for an easy target in the cloud.
The report is comprehensive and worth a thorough read when you have time, but here are Integrity360s five key takeaways from this year’s DBIR.
External actors are responsible for 70% of security breaches analysed in the DBIR, through hacking, using malware or social attacks. More than 80% of attack methods use brute force or stolen credentials, rather than exploiting vulnerabilities which accounted 20%. While the threat of outside attacks has grown, the profile of these attacks has mainly remained the same, such as credential theft and phishing emails.
Cyber-attacks often grab the headlines when there are malicious outside hackers at play, but the threat can be inside the walls of an organisation too.
In this year’s report, the number of internal-error-related data breaches more than doubled, from 424 to 881. The authors attribute the higher number this year to new regulations, like GDPR, that put more of an onus on companies to report a breach, even if it’s an accident in-house.
Action Point: This finding reiterates the need for an unrelenting focus on threat management from outside and inside the organisation supported by robust internal security processes and policies.
Ransomware has become a profoundly common threat to organisations big and small over the last five years with the legacy of the 2017 WannaCry attacks still lingering. The trend of ransomware attacks has continued and is no longer an anomaly that managers and IT pros can hope won’t affect them.
According to the DBIR, ransomware is “a big problem that is getting bigger”. Ransomware made up 27% of all malware incidents, while 18% of organisations reported blocking ransomware at least once.
Verizon says the increase in ransomware incidents and breaches is down to the ease of access to this malware by attackers. “Service” models that allow malicious actors to access and deploy ransomware code with relative ease have become more common.
This type of malware is more often than not financially motivated. It locks down a victim’s systems and demands a ransom, usually in bitcoin or other cryptocurrencies, to unfreeze the data. Malicious actors do not discriminate with their ransomware targets with financial services, government bodies and educational organisations all feeling the wrath. In education alone, 80% of malware infections were ransomware-related.
Action Point: The cost of a ransomware attack can seriously damage your business and its reputation. While employee education can help staff spot potential attacks, more needs to be done to prepare for the increasing frequency of attacks.
A common thread throughout many breaches – and in all the 16 industries examined – was the prevalence of personal data being compromised.
Personal data includes names, phone numbers, email addresses and mailing addresses, among other potentially sensitive information.
Personal data was affected in 58% of the breaches analysed – nearly double the percentage from the previous year. This data is typically compromised as a result of breached emails or from being stored in a misconfigured database.
Again, the increase in reports of these breaches can be likely attributed to new legal requirements on reporting incidents.
Action Point: With the unrelenting level of personal data breaches an independent, regular Cyber Risk Review is more relevant than ever.
Verizon found that a vast majority of data breaches (72%) were at large organisations, but small and medium-sized businesses (SMBs) are still caught in the crosshairs.
DBIR highlights that the differences between small businesses and large companies are narrowing as more industries turn to cloud computing. At the same time employees are only human and still vulnerable to letting an attack through the doors.
SMBs, which are defined as having 1,000 employees or less, continue to suffer attacks and breaches at a regular pace. In the case of attacks on small businesses, some 83% of attacks are motivated by financial gain, showing that malware like ransomware is very much a risk to a small business as it is to an enterprise.
Action Point: The size of your company does not protect it from the attention of cyber criminals. One crucial point is to train your staff as improved user awareness will help to minimise risk.
Despite the increase in breaches, security tools for organisations are catching up and capable of blocking more and more common types of malware.
One prime example is Trojan malware, which disguises itself as a familiar or harmless piece of software. Its impact has dwindled dramatically since 2016 when it accounted for nearly 50% of breaches. Now it is only 6.5%. This drop indicates that blocking measures are getting more effective, but that does not mean that the threat has vanished.
The Verizon report found that most organisations are regularly patching their systems to protect against vulnerabilities. Patching is an example of best practice that has become more important in recent years. Still, the report goes on to warn about companies only patching their critical systems and not patching “forgotten assets” that can leave unnoticed vulnerabilities exposed. The best practices of patching need to be carried out across the board.
Action Point: Stay on top of the latest developments in cyber security defences by signing up to Integrity360s newsletter.