The Verizon Data Breach Investigation Report returns for an 11th straight year. In this edition, the study includes over 53,000 incidents and 2,216 confirmed data breaches sourced from multiple data contributors. We encourage you to download it for yourself and read it cover to cover. Please note that all statistics and visuals below come directly from the report.
Typically, manipulating numbers and statistics to push a specific narrative is commonplace in these types of reports, and this one does admit that there exists an inherent amount of bias in their process (discussed in Appendix E). Regardless, the data presents a broad view of the state of cybersecurity. How you use the data depends on what you want to learn. We recommend following the report’s advice on how to view its findings:
“At first glance, it is possible that one could view this report as describing an information security dystopia since it is made up of incidents where the bad guys won, but we don’t think that is the correct way to look at it. Rather than simply seeing the DBIR as a litany of nefarious events that have been successfully perpetrated against others and, therefore, may happen to you, think of it more as a recipe for success. If you want your security program to prosper and mature, defend against the threats exposed in these pages.”
Only 17% of Phishing Campaigns Were Reported
Developing and implementing an incident response plan belongs at the top of every organization’s to-do list. But that plan does no good if employees don’t report security events. Even though the report shed some good news regarding click rates (78% of people didn’t click on phishing links all year!), the number of people who failed to report a phishing incident causes a lot of concern.
Obviously, training employees not to click takes precedence in most security awareness programs. But if you want to mitigate damage caused by clicks, employees need to know how and when to report the incident and be encouraged to do so immediately. Time is of the essence. The sooner you can identify a phishing attack, the sooner you can disable it.
Ransomware and Botnets Ruled Supreme
Within the 1,379 incidents involving a specific type of malware, ransomware accounted for more than half (56%). The healthcare industry was especially targeted, where ransomware accounted for 85% of all malware. And even though these numbers are alarming, they’re hardly surprising. As the report notes, ransomware is opportunistic, inexpensive, low-risk, and ultimately profitable for cybercriminals.
Even more alarming numbers show themselves in the botnet section. According to the report, “over 43,000 breaches involved the use of customer credentials stolen from botnet infected clients.” This attack showed up on every populated continent and targeted banking organizations 91% of the time.
12% of Data Breaches Involved Privilege Misuse
The report defines privilege misuse as “any unapproved or malicious use of organizational resources.” And the numbers speak for themselves. Even though most breaches featured hacking perpetrated by outsiders, insider threats accounted for a discouraging amount. That 12% stat may not intimidate you at first, but considering it represents one of the simplest methods of security (following policy and respecting privilege access), you can see how the number creates frustration among organizations.
Perhaps even more frustrating, 17% of breaches were the result of human error. According to the report, misdelivery accounted for over half of these errors (sending info to an incorrect recipient). It’s possible some of the incidents covered under this number also include some of those covered under privilege misuse, but the net result illuminates the seriousness of the insider threat and the need to mitigate it.
Financial Pretexting Rose From 61 Incidents to 170
Pretexting, defined as the creation of a false narrative to obtain information or influence behavior, was responsible for 170 incidents and 114 confirmed data breaches in social attacks. Phishing, of course, ranked as the top social attack once again, contributing to 1,192 incidents and 236 confirmed breaches.
But the trend of pretexting in the financial industry stands out. Unlike phishing, pretexting doesn’t rely on malware or clicks to successfully scam the criminal’s targets. Instead, it utilizes good old-fashioned social engineering. By creating a false scenario and generating a back-and-forth with the victim, attackers gain trust, abuse that trust, and successfully steal information or money. This process demonstrates how business email compromise became a $5 billion scam in just a few years’ time.
Insiders Caused the Majority of Breaches in Healthcare
Of the nine industries specifically reviewed by the report, healthcare was the only one to have more incidents created by internal actors than external actors. Error and misuse accounted for 56% of breaches.
Regarding misuse, the study reports that privilege abuse (unauthorized access, for example) appeared in 74% of cases. Why so high? Apparently, “fun or curiosity” accounted for 47% of privilege-abuse motives (when known). The report notes:
“Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity gets the better of common sense.”
Curiosity aside, financial gain was the motivation in 40% of misuse breaches, reiterating the need for organizations to focus on threats posed by insiders.
58% of Victims Were Small Businesses
Let’s take this opportunity to highlight an important concept of cybersecurity: criminals have no bias. In fact, small businesses might have a bigger bullseye on them than large corporations which have greater access to resources for combating cybercrime and external attacks. Not only can large organizations afford to coordinate large-scale training efforts, but they can also afford robust security technology and third-party solutions.
Do those resources make an organization more resilient to cyber-attacks? Results may vary. But they might make them less attractive to cybercriminals than, say, a small medical office or mom-and-pop restaurant that can’t commit as many resources to security awareness and defense.
Resources aside, if you’re the owner or manager of a small business, assuming cybercriminals won’t target you because you’re a small business creates a dangerous culture. If anything, the exact opposite is true.
Latest posts by Justin Bonnema (see all)
- 2019 SAP Planning Calendar - December 11, 2018
- Incident Response in 3 Domains - November 30, 2018
- How the NIST Framework Improves Your Organization’s Cybersecurity - November 15, 2018