The annual Verizon Data Breach Investigations Report (DBIR) provides an in-depth analysis of data breach trends and aims to enable organizations to prevent and defend against attacks. Here are 3 key takeaways from this year's DBIR.
Every year security professionals eagerly await Verizon’s Data Breach Investigations Report (DBIR). With the ever-increasing worldwide data security incidents, Verizon’s annual analysis of data breach activity has come to be one of many essential tools in understanding cyber-attacks, data breaches, data leaks, and espionage.
The Verizon Data Breach Investigations Report, commonly referred to as the Verizon DBIR is an annual research report produced by the Verizon RISK (Research, Investigations, Solutions, Knowledge) team within Verizon Enterprise Services. The Verizon DBIR analyzes the past year’s security incident activity with a focus on data breaches. Cybersecurity professionals rely on this report as a metric that allows them to see areas in which security methods and technologies are failing to prevent cyber threats. Information from the Verizon DBIR helps guide the focus of future security efforts. Over the years, the Verizon DBIR has come to be seen as a gauge of the state of security and a trend monitor providing insight on where attackers are directing their efforts.
First published in 2008, the Verizon DBIR combines data from a global collective of public and private organizations as well as Verizon’s RISK team. Contributing entities include law enforcement agencies, national incident-reporting entities, research institutions, private security firms as well as Verizon. The 2019 Verizon DBIR details more than 41,000 security incidents from 86 countries, including over 2,000 confirmed breaches. It also notably contains FBI contributions to the data analytics for the first time in its decade long history.
The Verizon DBIR for 2019 takes data from 41,686 security incidents across 66 global data sources, analyzes the findings and then distills them into an easy-to-read 77-page report that uses simple charts, and ‘plain English’ explanations to disseminate common attack patterns and how often each attack vector results in a data breach. Attack attempts, including point-of-sale intrusions, Web application attacks, insider threats, physical theft, crimeware, payment card skimmers, denial of service, cyber-espionage, and miscellaneous errors are analyzed and broken down into digestible facts. This report also maps out threat actors, examines the types of organizations targeted, and scrutinizes security controls. The goal of the DBIR is to enable organizations to prevent and defend against attacks to reduce the number of data breaches worldwide.
It’s no secret the business sector takes cybersecurity threats seriously, but building an effective and robust cybersecurity program is both time-consuming and expensive. The Verizon DBIR offers insights that allow organizations to evolve their defense. Governments are finally taking cybersecurity seriously. The increased spending on both defensive and offensive countermeasures to combat cybersecurity threats in both the public and private sector stands as an interesting counterpoint to what the Verizon DBIR tells us threat actors are doing. Cybercriminals are successfully hacking into businesses and government entities around the globe are using the most common techniques and the cheapest methods to exploit our vulnerabilities while leveraging the human risk factor heavily in their attempts.
Figure 3 of the 2019 DBIR indicates that 33% of the tactics utilized are social, and Figure 5 shows us that 32% of breaches involved phishing and that 29% involved stolen credentials. These numbers indicate that social engineering is still a significant component in the world of cybercrime. This makes sense as it is a low cost, low technology attack that focuses on the weakest asset in any organization, public or private - the people.
Social engineering attacks and phishing target people because tricking/manipulating someone into giving up sensitive information unknowingly is less expensive and less time consuming than breaking in. It's an easy way to access valuable data that may not be discovered right away. Figure 5 also establishes that 56% of breaches took months or longer to discover. Because social engineering often leads to stolen credentials, it's significantly harder to detect early. As we discussed previously, people are the weakest link in the cybersecurity chain. Educated, vigilant employees are often an organization's best defense.
Figure 13, which breaks down the top hacking action varieties in breaches show that the use of stolen credentials tops the chart at around 70%. The DBIR warns that members of the C-suite were twelve times more likely to be targets of social incidents and nine times more likely to be a victim of social breaches. C-suite executive credentials offer a tempting target both for exploiting the elevated privileges and for the opportunity to manipulate other employees into misusing their privileges. Consider how easily an email from the CEO can get employees to share sensitive financial information, or make significant funds transfers similar to the transaction in the recent Toyota breach.
The executive summary of the DBIR points out, “No organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack. Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it.” Too often Small and Medium businesses think that they won’t be targeted because of their size, but that’s simply not true. Small businesses accounted for just under half of the breaches in the 2019 DBIR.
This is evidence that cybercriminals see value in small businesses. It makes sense as many small businesses don’t have the resources to spend on security programs or applications. It’s not uncommon for small businesses to be hacked as a part of the supply chain. This means that small businesses need to start thinking strategically about their security options.
The Verizon DBIR 2019 gives us a lot of useful information, but one thing it makes very clear is that cybercriminals are using tried and true methods to exploit the weakest links and aiming effectively with phishing and social engineering attacks. Your business need not be a multimillion-dollar business to face a data breach. It's easy to become a victim of ransomware or malicious malware through something as simple as an email. One click is all it takes to give a cybercriminal a foot in the door.
Comprehensive security awareness training can reduce the risk of a cyber-attack. One positive trend in the Verizon DBIR is the indication that educated employees are less likely to click on a malicious email than in the past. Continuous education and awareness can evolve your employees from the weakest link to your first line of defense in your cybersecurity strategy.
Zeguro Cyber Safety includes employee training, pre-built security policies to help you reduce your risk, and web app scanning to help prevent breaches. Zeguro also offers an easy-to-use, online quoting engine for cyber insurance, which makes sense when you consider that the 2019 DBIR shows a worldwide increase in attacks. Everyone is a target. It isn’t as much if you will be attacked, it’s a matter of when. You might be the direct target or a secondary victim; you may be a target of opportunity. The bottom line is that your business is a target. Your job is to make your organization a hard target to hit. Fortunately, Zeguro has also just announced a 30-day free trial of its Cyber Safety solution.