Cybercriminals Come Out Swinging: 5 key findings from the 2022 Verizon Data Breach Investigations Report
Verizon recently released its latest “Data Breach Investigations Report” (DBIR) that analyzed 23,896 security incidents, of which 5,212 were confirmed breaches*, in the timeframe from Nov 2020 to October 2021. The hefty report, which for a data-filled technical piece demands your attention with cheeky jargon, offers the latest insights into how threat actors are operating, who they’re targeting and the attack methods that are delivering results. It’s overarching conclusion: this was one insane year in cybersecurity. Strap on your swimmies and let’s dive into the key findings of the report as well as some plain English explanations:
No organization is safe without a plan to handle each of the four key paths that bad actors take to your information: credentials, phishing, exploiting vulnerabilities and botnets.
The ways in which you’re exposed to the internet are the ways in which you’re exposed to the bad guys. Web applications and email are the top two vectors for breaches, which makes sense when the top variety, or type of action taken to breach, was use of stolen credentials followed by phishing. Stolen credentials are the weapon of choice for criminals because they allow the bad actor to masquerade as a legitimate user, moving through the victim’s network with ease. If you can access your documents and files directly over the internet by simply entering the credentials, so can the criminals. Utilizing the proper multilayered security practices is the most important way to make sure criminals don’t get your password in the first place.
This year, ransomware rose nearly 13% - an increase as big as the last five years combined.
Ransomware was present in almost 70% of breaches last year. It is particularly dangerous because it compromises the confidentiality and integrity of the affected party, impacting who needs to be notified, what actions need to be taken, and who must be informed about the breach. It also causes the affected party to lose availability of their data. It’s worth mentioning that ransomware can be delivered via a variety of methods, so every organization must have a plan to address the ransomware threat.
2021 illustrated how one key supply chain incident can lead to wide-ranging consequences.
The supply chain incident that shall not be named (rhymes with MolarShins) took Verizon’s report and turned it on its axis. Normally, the action that caused this breach, software updates, shows up in less than 1% of their data. This year, it shot that percentage up to 60%! This supply chain breach, like other big news and meme worthy events, may seem like a one-off, but the report warns that it could be indicative of larger industry trends in terms of interconnected organizations. In recent years, the National Institute of Standards and Technology (NIST) and US Department of Defense (DoD) have prioritized cybersecurity supply chain risk management (C-SCRM) to protect critical infrastructure. Though those regulations only apply to government entities and their supply chain, this is good advice for every organization.
Misconfigured cloud storage is still heavily responsible for breaches.
Verizon has seen many breach patterns change significantly since producing the DBIR, but one constant has been people making mistakes. Starting in 2018, many companies moved to cloud storage, and misconfiguration began to rise. Since then, there has been a slight decline thanks to widely adopted cybersecurity measures, but misconfiguring cloud accounts is still an issue. Gartner estimates that through 2025, 99% of cloud security failures will be caused by misconfigurations. They’re easy errors to make, especially in the wake of work from home and hybrid work. Proper controls and access permissions are often overlooked when an employee needs to just get online and get their job done. In many cases, cloud-to-cloud backup solutions are required to truly protect data, as the organizations hosting the data may not guarantee or even offer options to recover from cybersecurity incidents.
Social engineering continues to drive breaches – 82% of all breaches analyzed over the past year involved human error.
And now for the bee in our proverbial bonnets – phishing. Did you think you’d get through a cybersecurity blog post without hearing that word? In the DBIR, and as mentioned in #1 of this list, phishing was once again the main social engineering tactic used. Email continues to be where targets are most reachable and therefore a favorite of cybercriminals. The report states that 2.9% of employees click on phishing emails (small but mighty percentage when given the number of incidents). More promising, in the last 5 years, 10% more phishing emails were reported by employees to their IT departments. Leading us to the ultimate question: Can your organization both act on the percentage that were reported and find the 2.9% that clicked? Think of the largest invoices your organization sends or receives. A single incident could lead to $10,000, $100,000, or much more being routed to an attacker’s bank account. In many cases, they close the account and move the money before anyone notices. Everyone must work together to be on the defense – and it takes practice. A robust Security Awareness Training (SAT) program is the best defense to make your team expert social engineering spotters.
The report goes on to give industry specific information, as well as a month by month wrap up at the end. My main takeaway from the report is that keeping a network secure cannot and should not just fall to the security or IT department. Cybersecurity is a team effort and everyone in your organization must have security at top of mind – from complicated passwords and two-factor authentication to avoiding public, unsecure Wi-Fi. Multilayered security and employee awareness training are crucial.
I’ll steal the DBIR’s perfect conclusion, “Be well, be prosperous, and be prepared for anything.”
*Incidents are security events that compromise assets, while breaches are the Trojan Horse and result in confirmed disclosure of data