Verizon Data Breach Investigations Report: Money Is Top Motivator

Not shockingly, malicious hackers want your money. But there are some surprising results.

Edward Gately, Senior News Editor

May 20, 2020

6 Min Read
Data Breach
Shutterstock

Cold, hard cash is what matters most to cybercriminals, according to the latest Verizon Business Data Breach Investigations Report (DBIR).

The 13th annual data breach investigations report analyzed 32,002 security incidents. Of those, the carrier confirmed 3,950 were breaches. Verizon analyzed just half that many – 2,013 – in last year’s report.

Verizon-DBIR.png

This year’s Verizon DBIR found credential theft and social attacks such as phishing and business email compromises at the heart of most breaches.

These cases came from 81 global contributors from 81 countries.

“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, Verizon Business‘ CEO. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”

Money motivated criminals in nearly nine of the 10 breaches. In addition, external actors continue to cause the vast majority of breaches. Organized crime accounts for 55% of these.

Credential theft and social attacks such as phishing and business email compromises (BEC) are at the heart of most breaches. Specifically, more than one third (37%) of credential theft breaches used stolen or weak credentials. One in four (25%) involved phishing, and human error accounted for more than one in five (22%).

New Surprises

Gabriel Bassett is a data scientist at Verizon and DBIR co-author. He said there are two surprises in the latest data breach investigations report.

Bassett-Gabriel_Verizon.jpg

Verizon’s Gabriel Bassett

“First, web applications doubling in breaches sets an ominous tone for the 2021 DBIR,” he said. “This is heavily tied to the use of stolen credentials. For organizations that have transitioned to supporting a remote workforce using web services, this won’t be as much of an issue. But for organizations just now making that transition, this may be a challenge. The attackers are already there waiting for them.”

The second surprise is the increase in errors overtaking malware as a cause of breaches, Bassett said.

“It was driven by an increase in discovery of cloud storage (both file storage and databases) that were shared publicly but contained private information,” he said. “On the other hand, while some malware (such as ransomware and password dumpers) increased, common types of malware we traditionally think of (for example, trojans) dropped precipitously. I think this change points to progress in security, but also suggests that organizations need to refocus some of their defensive resources on improving processes to avoid and mitigate errors rather than worrying about the latest malware threat.”

Four in five (80%) web application breaches involved stolen credentials. That’s a worrisome trend as business-critical workflows continue to move to the cloud.

Ransomware also saw a slight increase, found in 27% of malware incidents. That’s up from 24% in the 2019 DBIR. More than one in six (18%) organizations reported blocking at least one piece of ransomware last year.

“I think the first thing to take away is that many of the things we do in security work and work well, so we need to ensure that these strategies continue to be used,” Bassett said. “Firewalls, antivirus, web and email proxies, patching and vulnerability scanning are all helping us stay secure.”

Opportunities for Cybersecurity Providers

Still, there are opportunities, he said. Phishing and credentials are still the top actions, he said.

“While we know what to do about these, many organizations need help implementing them — whether it’s two-factor authentication, phishing response or transition to email solutions with robust phishing protections,” Bassett said. “There are also up-and-coming opportunities such as better asset management or process improvement (long applied to manufacturing) to prevent errors leading to breaches. I also believe thinking in terms of paths offers a huge array of opportunities to reimagine how we accomplish security tasks.”

Every organization, large or small, needs security operations, he said.

“While large organizations may be able to maintain a security operations center (SOC), small and medium organizations need to …

… take advantage of economies of scale,” Bassett said.

Managed security services are key to an SMB’s defense, Bassett added. That, and building security into other products, such as point-of-sale systems, that they use.

The growing number of SMBs using cloud-and web-based applications and tools has made them prime targets for cybercriminals. Phishing is the biggest threat for small businesses, accounting for more than 30% of breaches.

Security remains a challenge across the board for verticals. However, there are some differences. For example, in manufacturing, almost one in four (23%) malware incidents involved ransomware. That compares tp 61% in the public sector and 80% in educational services.

Errors accounted for one in three (33%) public sector breaches, but only 12% of manufacturing.

In North America, stolen credentials is the most common technique. That accounted for nearly 80% of hacking breaches. One in three (33%) breaches involved either phishing or pretexting.

Good News

“I think there is good news when it comes to security,” Bassett said. “The drop in malware certainly isn’t due to attackers not trying. That suggests to me that our malware defenses (antivirus, web and email proxies, etc.) are doing their job, even if they’re not perfect. Also, while we continue to hear of significant vulnerabilities and we know that most organizations only get 57% of their significant vulnerabilities patched in the first quarter, we only see single-digit counts of actors exploiting vulnerabilities in breaches.”

To Bassett, that means vulnerability management, patching and filtering are slowing the bad actors down. But that’s not to say you can ignore vulnerabilities.

“If you put an asset with old vulnerabilities on the internet, it’s likely to be exploited, as there are a number of well-known, easy-to-exploit vulnerabilities that attackers are continuously scanning the internet for,” Bassett said. “And it may not be intentional. While 43% of organizations’ internet-facing assets are in their first network … the rest are most commonly spread out over four additional networks. Assets in those areas may not be known and may be part of an organization’s responsibility, but not securely managed.”

Distributed denial of service (DDoS) is another good news story, he said. While it is the top incident variety, the most common DDoS attack size was 570 megabits per second. That’s well within the limits of almost any DDoS mitigation service.

“Even the top DDoS’s are mitigatable, meaning that an organization worried about DDoS can retain a mitigation service and sleep easy,” he said.

There is a new way of thinking about breaches that can expand defenders’ options, Bassett said.

“If you think about a breach as a point in time, there’s only before the breach when it’s too early to respond, and after, when it’s too late,” he said. “If you think of the breach as a series of actions that have to happen, you can pick when and where to respond to the attacker. You can lengthen the path so that it’s less appealing to attackers or not accomplishable at all. You can use what you have detected to guide looking for things you may not have detected. It’s a positive story for defenders that offers multiple opportunities to improve against attackers.”

Read more about:

Agents

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like