Cybersecurity Surprises In The Verizon Data Breach Investigations Report
Every year, Verizon publishes its Data Breach Investigations Report, one of the most prominent and respected reports in cybersecurity. This year, the 2019 report was the most extensive piece of research to date, offering findings based on analysis of 41,686 security incidents, including 2,013 breaches. The report is required reading for all in security, including those of us focused on identity and access management. Historically, the report has confirmed what we at Idaptive preach – that lost or stolen credentials are the number one cause of breaches. Now that the dust has settled following publication, I’ve compiled my lists of what surprised me in the 2019 report, and what did not.
What Surprised Me:
Hacking vs Social Attacks
The report notes that 52% of breaches feature hacking, while only 33% involved social attacks. This reverses the trend seen in recent years. A significant percentage of breaches tended to be driven by social attacks and the reason why this could be lower today may be attributed to end-user organizations having broader knowledge of how to prevent these types of attacks. People are now better at looking at websites and certificates to see if the URL actually matches. People are also – finally – starting to think twice about entering passwords in a website that has been sent in email. Anti-Spam and Anti-Phishing technology have gotten better, and email service and server security tend to filter more efficiently than a decade ago.
While this change in the trend did surprise me, it makes sense given the evolution of the industry.
Executive Weak Spots
Executives were 12 times more likely to experience a social engineering incident. While the fact that executives are targeted isn’t surprising, the fact that they are successfully victims of social attacks is surprising. Social engineering and social attacks tend to be conceptually simpler, and one would hypothesize that it would be harder to successfully reach an executive. It is surprising that these social attacks do in fact, succeed.
This leads me to believe that education of C-level executives around healthy practices and good cyber hygiene, and in terms of how to control access to critical information using the right security controls, is still extremely important. Information and insights from a user’s real world identity, achieved through integration of IAM systems with identity proofing and corroboration systems should be used when making the judgment to step up authentication or not.
Small Businesses Big Breach
The common perception is that there isn’t necessarily a lot of high value data and information centered in small businesses, so it was surprising to see that 43% of businesses affected by breaches came from this category. Targets of breaches typically tend to be larger enterprises, big banks and financial institutions who tend to have significant customer PII and other types of data. There is simply more to gain from these targets.
Identity theft and information theft are no longer just about getting high value information from a small number of people or organizations. Hacking and stealing PII data is now a volume game, and hackers seem to also go for a medium value of information from a large number of organizations.
Why would a hacker want to go after a “Mom and Pop” shop? One wonders what can be achieved by going after this data. But as you see more and more of these small businesses build up their online presence, transition to digital business models, it’s only natural that hackers see an avenue to go after then. To me, this seems like a wake-up call to smaller businesses, especially those that under-invest in technology based on a false sense of security. Being small will no longer be enough to keep you safe.
What Did NOT Surprise Me:
Privilege Abuse Continues
No surprise here, privilege abuse continues to be the biggest reason why breaches and incidents happen. Traditionally, insider threats and privilege abuses have been one of the most common reasons for a breach and it continues to remain so.
Types of Assets Being Compromised
The single most breached assets tend to be things like email servers or database servers. Email servers contain a lot of information, including confidential communications between people. It can contain financial data and security data. It can have executive level communication information. It continues to make sense why people target email servers as a primary asset. Databases also contain loads of information, including, potentially, credit card numbers.
Hackers know what assets will result in the biggest financial gain, and so it’s not surprising that these are the types of assets most compromised.
In the last few years, phishing, and spear phishing specifically, have become the most common way of getting information. As the authors of the report conclude, the design of mobile devices and how the users interact likely contribute to this. The good news was that users tend to report clicking on phishing emails quicker than in years previous.
The Verizon 2019 report demonstrates progress being made in the world of cybersecurity, but much can still be done to prevent breaches. Seemingly simple recommendations like reiterating good cyber hygiene tactics to employees and implementing multi-factor authentication solutions are good places to start. This calendar year has already been rife with security incidences and breaches, and I eagerly await Verizon’s analysis for the 2020 report. What will surprise me from the 2020 Verizon report?