To Err is Human, Unfortunately: 5 key findings from the 2023 Verizon Data Breach Investigations Report
This year, Verizon released its latest “Data Breach Investigations Report” (DBIR) that analyzed 16,312 security incidents, of which 5,199 were confirmed data breaches.* In contrast to last year’s report, this year’s focused more on the actual data breaches to bring concise and actionable findings to the table. It’s overarching conclusion: in a time of so much uncertainty, hackers found new avenues to exploit the human element, using the same tried and true tactics.
1. Business Email Compromise (BEC) attacks (or pretexting attacks) now represent more than 50% of incidents within the Social Engineering pattern.
This year has almost doubled the number of BEC/pretexting attacks across the entire incident dataset of the DBIR. (Think: an email from your boss or a direct message on social media from a friend or family member stating they desperately need money.) What’s more, the median amount of money stolen by these attacks has also increased to $50,000. Because of its effectiveness, pretexting is now more prevalent than phishing in social engineering incidents. Phishing is still on top for actual breaches, though. My assumption is that pretexting requires more effort than mass phishing campaigns, but with the growing visibility of AI and large language models, the report may be singing a different tune in 2024. This stat should send the message: verify, and then verify again, even if a message appears to be from someone you know.
2. 74% of all breaches include the human element.
These mistakes include errors, privilege misuse, use of stolen credentials and social engineering. Let’s chat about errors, since we beat up social engineering in the previous finding. Errors account for a good chunk of the breach data, with misdelivery (sending something to the wrong recipient) claiming 43% of error breaches. Moving on, stolen credentials, which are largely used in basic web application attacks, allow attackers to access key information hiding in an organization’s emails, or even take code from repositories. This breach type’s continued appearance on the report highlights the importance of multifactor authentication and patch management.
3. 24% of all breaches involved ransomware, continuing its reign as one of the top action types in breaches.
“We have your data. Pay us.” Organized crime actors account for almost 80% of external breaches, and ransomware is present in more than 62% of their attacks. We all know what ransomware is, but since it’s a top tool used by the top actors, it’s important to understand how these attacks occur and how to protect your organization. Email, desktop sharing software and web applications are the top 3 vectors that bad actors use to access a system, so start there when looking at your security setup. We actually have an awesome guide if you need help getting started with protecting your data.
There was a fourfold increase in the number of breaches involving cryptocurrency this year.
More money (types), more problems? Back in 2020 and earlier, the DBIR saw one or two cases involving cryptocurrency each year. The fact that cryptocurrency is a real player in this year’s report worries the DBIR writers, as this complication doesn’t make the threat landscape any easier. These types of breaches involve the actual coin networks and exchanges being breached via their applications and application programming interfaces (APIs). It also includes phishing and pretexting activity on these coin community chat platforms (like Discord), where “after a simple click on a link, suddenly your wallet is not yours anymore."
“SMBs and large organizations have increasingly become similar to each other. This phenomenon began several years ago, and by now there is so little difference based on organizational size that we were hard-pressed to make any distinctions whatsoever.”
A common misconception of SMBs is that they are too small to matter. Each year, the DBIR shows enterprise and SMB data sets getting closer and closer to each other, signaling that there really is no difference in frequency and type of attacks. The distinction found, however, lies in the inability of SMBs to respond to these threats due to network owners not knowing their assets, the software that they had running or where their critical data was. The report goes on to cite a message to SMBs (and really, everyone) from the Center of Internet Security stating “you can’t protect what you don’t know you have.”
My main takeaway from the report isn’t all that different from last year - keeping a network secure cannot and should not just fall to the security or IT department. Cybersecurity is a team effort and everyone in your organization must have security at top of mind – from complicated passwords and two-factor authentication to avoiding public, unsecure Wi-Fi. Multilayered security and employee awareness training are crucial. Reach out to Sharp if you think you need better optics into your security setup.
I’ll steal the DBIR’s perfect conclusion, “Be well, be prosperous, and be prepared for anything.”
*Incidents are security events that compromise assets, while breaches are the Trojan Horse and result in confirmed disclosure of data.