For an overview of the current cybersecurity landscape, the annual Verizon Data Breach Investigations Report (DBIR) is always worth reading. The 2020 version has just been released and is available here.
2020 DBIR is based on information from across the globe, and draws on analysis of 157,525 incidents. Of those, 32,002 met Verizon’s quality standards for verification. 3,950 were confirmed data breaches, i.e. incidents resulting in confirmed disclosure of data to an unauthorized party. The report is based on incidents occurring in the year up to 1 November 2019.
Here’s a closer look at the most important findings, along with tips on staying secure in the face of the most prevalent current threats…
Who are the threat
- 70% of data breaches were caused by external actors, i.e. parties from outside the organizations they are targeting.
- Of these, 55% were categorized as “organized crime”. Note: as the report authors were careful to point out, “organized crime” crime in this context means “criminals with a process”, rather than the mafia.
What are their motives?
- 86% of data breaches are for financial gain.
- Stories of industrial and state sponsored espionage get a lot of publicity. But according to Verizon, only around 5% of breaches are motivated by espionage.
- Other motives (e.g. fun, ideology and grudge) feature in around 2% of breaches.
- Personal data is still the prime target. 58% of breaches involved exploiting personal data.
How are breaches carried out?
- The majority of breaches (over 67%) are caused by credential theft. Of these breaches, 37% used stolen or weak credentials and 25% involved phishing. Human error accounted for 22% of these breaches.
- 43% of breaches involved attacks on web applications.
- Fewer than 1 in 20 breaches exploit vulnerabilities. But that’s not to say you can afford to ignore those software security updates when you get them. As the DBIR team points out, attackers will try easy-to-exploit vulnerabilities if they’re available, underlining the importance of having a patch management system in place.
- Ransomware was used in 27% of incidents involving use of malware.
2020 DBIR also includes analysis of data breaches across 16 different industry sectors. This reveals a lot of variation in terms of identity and motivations of threat actors, as well as preferred methods of attack.
Here are some illustrations of those differences:
- Healthcare is the sector with the highest number of internal bad actors. 48% of healthcare breaches were perpetrated by insiders. In contrast, just 5% of incidents in the construction industry came from within.
- If you work for a school or college, be especially wary of ransomware attacks. Ransomware was responsible for 80% of all malware-related incidents in this sector, compared to a global average of 27%.
- In retail, 99% of incidents were financially motivated. In manufacturing, the risk of company secrets being exposed becomes a much more pressing concern. In almost a quarter of breaches in this sector, espionage was the primary motivator.
- Public sector organizations seem to have improved significantly in identifying breaches. 2020 DBIR shows that only 6% of breaches lay undiscovered for at least a year, compared to 47% in the previous report. This improvement is thought to be linked to the strengthening of the legislative rules on breach reporting.
Trends and Takeaway Points
Credential theft & phishing
For verified data breaches, phishing - i.e. duping victims into disclosing their credentials - is the single most common method of attack. The DBIR group found that in the vast majority of cases (96%), phishing attempts arrived via email. 3% arrive via the target organization’s website, while just 1% were linked to phone/SMS.
- Filters. Tools to filter or block incoming phishing emails.
- Training & policies. Train staff on how to spot and avoid phishing attempts and fraudulent requests for information. This includes strict rules on non-disclosure of credentials and on the importance of password strength/uniqueness.
- Multi-factor authentication. For instance, let’s say a threat actor has managed to obtain a username and password. In the absence of a numerical code sent to the user’s mobile, they’ll still be denied access to the relevant platform.
Web application breaches
2020 DBIR showed that 43% of breaches involved web app attacks, twice as much as last year. This is closely linked to the fact that many businesses have shifted to the use of cloud-based software-as-a-service (SAAS) and cloud storage of data.
- Do your research. Be careful which cloud service providers you do business with! Reputable providers will be happy to provide verifiable information on the breach detection, monitoring, encryption and other data protection measures they have in place.
- Network monitoring. This enables you to spot unusual behaviour, (e.g. unfamiliar login locations/times) that might indicate an unauthorized login attempt.
- Enable automatic updates. These update settings can be especially valuable where you have a scattered workforce. It means that you can be sure vulnerabilities are closed off swiftly, hopefully before threat actors have the opportunity to exploit them.
Ransomware was involved in 27% of incidents involving malware, up slightly from 24% a year earlier. At least one piece of ransomware was blocked by 18% of organizations throughout the year. The DBIR group refers to this type of attack as “a big problem that’s getting bigger”.
- Regular backups of important files to ensure restoration and business continuity in the event of an attack. Ensure that backups are kept separate from your network.
- Active filtering and blocking mechanisms can reduce the likelihood of malicious content reaching your network.
- Lateral movement prevention measures can prevent ransomware and other forms of malware spreading across your organization. For instance, network segmentation involves identifying, grouping and isolating critical systems. It can help effectively quarantine key parts of your network in the event of an attack.
What specific cybersecurity threats do you think our business and our industry faces? What measures would you put in place to reduce our risks?
If you’re facing an interview for a cybersecurity job, these are the type of questions you can expect to encounter. To get the know how and credentials you need to be able to answer with confidence, explore our full range of courses here.