The twelfth edition of the Verizon Data Breach Investigations Report 2019 (DBIR) has been released and to no one’s surprise, it suggests cyber criminals are still widely succeeding in hacking organizations. That’s an argument no IT or security professional would argue. However, the good news is that — according to the report — security defenses are getting better at stopping attacks. The Verizon study analyzed more than 40,000 security incidents — including 2,013 were confirmed data breaches — which is lower than the 53,000 incidents analyzed last year. But while the quantity of incidents has decreased, the primary takeaway from this report is that there are still too many breaches. Here are a few, key takeaways:
People and Tech Need to Work Together Better
The Verizon DBIR indicates that cybersecurity is about finding the balance between humans and technology. Several of the incidents (and breaches) show that cyber criminals use hacking methods that exploit vulnerabilities in both humans and applications — technology alone can’t protect human identities or sensitive data. Criminals target people, seeking ways to manipulate them into unknowingly revealing sensitive information — also known as social engineering. This is the easiest way to access valuable data. Unfortunately, humans are the weakest point in cybersecurity, but their actions are also key factors in keeping data secure.
There is too much complexity in the cybersecurity industry, and it is crucial that we make technology simpler and easier to use for people if we want them to actually adopt the solutions we offer. The future of cybersecurity lies in making it simple. There are positives found in the report: Cyber awareness training and other programs do work. Granted, we have to credit the fallout of the disastrous breaches in recent memory, but it’s still good to note that cybersecurity awareness is growing. The Verizon DBIR shows that employees are being more cautious about email threats, which the report states are the delivery point of 94 percent of malware attacks. We need to keep up the momentum and make employees a defensive asset in our cybersecurity strategy, not one of our greatest weaknesses.
Common, Simple Techniques Still Dominate the “How?” of Cybercrime
It is critically important that organizations know how criminals target their victims. Knowing how these culprits subvert security protections and gain access to systems containing sensitive information helps organizations understand how they could be targeted and what they can do to reduce their risk.
The 2019 report confirms that cyber criminals are successfully hacking business and government organizations across the globe with simple tactics that, according to the report, involve less than five steps. One of the most common attack actions in breaches is — still — the use of stolen credentials (29 percent). Yet again, credential (such as passwords) theft takes a top spot in terms of most commonly used attack vectors.
These attacks are extremely cost sensitive and are relatively easy to initiate. Cheap and simple — it should come as zero surprise as to why this is the go-to strategy for cyber criminals. One of the easiest methods is to leverage social engineering. Many attackers use phishing schemes through browser-based sources, rogue applications, fake social media ads or email to get inside privileged accounts and access sensitive data. The Verizon DBIR reports that phishing is involved in 32 percent of breaches.
Any Organization Can Be a Victim
No private company or public institution is too big or too small to be a target for cyber criminals. Anyone can be hit with an attack — 43 percent of the breaches victimized small businesses.
According to the Verizon DBIR, the top three industries hit by breaches were: public sector entities (16 percent), healthcare organizations (15 percent) and financial firms (10 percent). It doesn’t take much math to figure out that those top three industries make up 31 percent of the breaches. This means there are several sectors that make up the other 69 percent. Organizations of all sizes and in every industry should take notice and be sure to have a cybersecurity incident response plan knowing the likelihood of a cyberattack.
Who are the Culprits and What are Their Motives?
Attributing the attacks to specific criminals or sources is one of the most daunting tasks in cyber security. Attackers are often able to use various misdirection techniques and lack traceable digital footprints. This makes it extremely difficult for investigators to find the culprits, many of whom reside in other countries and under different legislation.
However, I found several noteworthy data points:
- 69 percent of breaches are perpetrated by outsiders
- 34 percent of breaches involved internal actors
- 23 percent of attackers involved nation-states or state-affiliated groups
Whether these above number surprise you or not, the motives of these attackers are well known — nearly all cyber attacks are either conducted for financial (71 percent) or strategic gain (25 percent).
Cyber penetration has proven to be a lucrative business as a successful attack can allow the perpetrator to pillage an organization for millions. According to a study from IBM last year, the global average cost of a data breach is $3.86 million, which was up 6.4 percent from 2017. Additionally, on the strategic — usually corporate or international espionage — side, breaches can exploit companies’ and public organizations’ sensitive data, product secrets, and more (in addition to the financial cost).
Another data point to look at is the cyber attack activity by organized crime groups as the report found their involvement in 39 percent of the breaches. This actually means that organized crime has dropped over the past few years. Meanwhile, crimes driven by system administrators and nation-state actors have increased. This unfortunately suggests that former employees are leaving their employers with sensitive corporate data (which can be leveraged to benefit their career opportunities and give their new allegiances a competitive advantage). This can also mean that systems are poorly configured or lack sufficient internal data management tools.
What to Watch Out For
Slow reaction time is a critical issue in cybersecurity — organizations react too slowly to data breaches. Most data breaches (56 percent) last for months before they are discovered. This leads to further system penetration, greater theft of sensitive data and larger financial cost.
Another finding from the report is that ransomware continues to increase in global usage and financial impact. It is now considered a commodity that no longer requires extensive technical expertise. Organizations need to be wary because anyone with a computer and an internet connection is able to obtain ransomware and target a victim. Ransomware is so easily within the reach of common criminals, that we can unfortunately expect a continued increase in use.
DDoS (Distributed Denial of Service) attacks are also on the rise. They cause massive disruption to an organization and are often conducted in conjunction with other cyber techniques that can be used to distract organizations. While the victim organizations combat the other attacks while attempting to keep their services running, the cyber criminals carry out their crime elsewhere in the network.
Additionally, identity theft is still a major problem, often thanks to credential theft. This is because it’s much easier to steal a trusted insider’s credentials and bypass traditional cybersecurity controls than it is to break through the firewall, which is why credential management has become so crucial to organizations’ cybersecurity.
A Good Reality Check
The Verizon DBIR always makes for an interesting read and it’s an excellent annual reality check for organizations all over the world. The report is a resource to keep us all up to date on the previous year’s cybersecurity events, as well as the attack technique trends and changes. It cannot be overstated that cybersecurity has become part of everyone’s — professional and personal — daily lives. What was once a concern only in the workplace, cyberattacks are more common than ever and can affect anyone connected to the internet.
This year’s World Economic Forum Report lists cyber threats as the fourth greatest risk to world economies, behind climate change and natural disasters. Governments are taking cybersecurity seriously, increasing spending on both defensive and offensive countermeasures to combat the problem. Unfortunately, I believe that cyberattacks will be the biggest threat to every human being and business on earth and will (or continue to) trigger future wars and political instability. The attacks on the Democratic National Convention (DNC) leading up to recent US elections are only the beginning.