For those concerned with cyber-security, Verizon’s annual Data Breach Report looks at the trends impacting the negative side of a world where – as the saying goes – data wants to be free. The report examines thousands of data breaches across the globe and provides technology leaders with insight into how these threats are evolving over time.
Doing so, however, can be problematic. The writers are quick to point out that their methodology requires the reader to understand that the inputs to the report are changing as quickly as the tactics of the hackers. As such, it’s not simple enough to say that malware is “up” or “down.” A simple example: the amount of data exposure discovered by external security firms was up dramatically, but the report acknowledges this could reflect more companies hiring those firms as much as it suggests that the researchers are finding more breaches and/or the possibility that there are more breaches. Clearly, this space is rapidly changing.
Still, CTOs remain abundantly concerned with cyber-security, so reviews of the trends should be studied, albeit with this understanding in mind.
If there is a common thread relevant to those of us in the custom software development business, it would be this: the cloud has elevated the necessity of businesses to be concerned about security.
As companies add more digital offerings, they necessarily are increasing their ‘attack surface,’ creating more opportunities for cybercriminals to capitalize on certain weaknesses – whether they’re systemic or due to human error.
Let’s deep dive into critical insights derived from the 2020 report.
Vulnerability Versus Actual Attacks
Comprehension of Verizon’s report requires a quick understanding of the two datasets found within: incidents and breaches. In the former, a discovery has been made that data has been exposed, resulting in the potential of an unauthorized third party gaining access to the information. Should it be proven that the data was in fact taken by the third party, the result is known as a data breach. As an analogy, leaving one’s front door unlocked would be an example of an incident. A burglar passing through the doorway and leaving with a stereo would be a breach.
Such an understanding of the difference is critical, as the threat of breaches has led to more corporations hiring security firms to do threat assessments, and reporting requirements likewise require companies to disclose when data is found to be at risk. Thus, while the likelihood of a data breach is more abundant than ever, the rise of incidents can be attributed, in no small part, to the efforts of companies to improve security.
The Call is Coming From Inside the House
Though there is no shortage of nefarious actors seeking to steal privileged data from company databases, it can’t be overstated: the greatest threat to cybersecurity is due to improper configuration (or human error) by professionals tasked with developing these systems. In most cases, corporations are allowing their front doors to remain unlocked and the burglars enter, absconding with property that is then posted or sold online.
Though the end result is the same, this is in stark contrast to the public perception of a brute force hacker breaking their way into a database. At the same time, it’s been said that most crimes are crimes of opportunity, so such statements shouldn’t be that surprising.
More to that point, a large percentage of true breaches do occur through the use of lost or stolen credentials, giving further credence to the fact that too many companies make it too easy for problems to occur.
It’s Not Usually About the Tool
Though Hollywood loves to paint a picture of talented hackers using cutting-edge tactics to navigate into highly protected databases, the truth is far more mundane; humans are generally the culprits.
From passwords that are easily compromised (or worse, shared) or misuse by authorized users, the data clearly shows that employees are compromised more than databases. And moreover, with more decentralized workforces, this trend is also likely to continue.
Researchers recommend continued education and awareness for employees in the areas of threat avoidance.
Social Engineering is a Preferred Method of Attack
As previously stated, though some hackers utilize brute force attacks to gain access to sensitive data, the more common approach is the simpler one; they simply ask for logins and passwords via phishing tactics designed to look like regular email requests.
Successful phishing campaigns provide cybercriminals with sensitive information and credentials that can be used to gain unauthorized access to a system and complete their objectives, whether it is to establish their foothold, extract data, or destroy the project.
Here are a few things organizations can do to protect their environment:
- Email banners must screen and notify recipients when an email comes from outside the company. Basic email banners can be created with free tools like Microsoft Office 365 in a matter of minutes.
- SPAM filters can be used to screen phishing attempts and stop messages from being delivered. Companies should consider the automatic removal of known spam and phishing campaign emails from all mailboxes of employees.
- Use multi-factor authentication on all applications and services that are available to the public – without any exceptions. MFA has been shown to block nearly all account compromise attacks because hackers are no longer able to access a system using a password.
Industry Data Should be Considered Suspect
Though Verizon’s Data Breach Investigations Report is admirable for its attempts to segment incidents and breaches according to industry vertical, this particular cut of data must also be examined with a discerning eye. While some industries are certainly preferred by attackers, compliance regulations have a very direct impact on the breaches that become known to the public.
Moreover, breaches vary greatly in severity. Colonial Pipeline fits neatly within a vertical with very few incidents in Verizon’s report, yet their recent ransomware attack had a catastrophic (if gratefully, short-term) impact on fuel delivery in 2021.
Despite industry vertical data being suspect, one of the curious trends to emerge in this year’s report was the number of small to medium-sized businesses to report incidents and breaches in 2020. Clearly, security has reached far beyond the enterprise, a trend that is certain to continue in the coming years as more companies move more data to the cloud.
The Verizon Data Breach Investigations Report contains valuable insights that technology leaders can use to benchmark their own experiences across a broad swath of organizations. Though the report changes so dramatically that year-by-year comparisons are difficult, these changes in methodology should be considered timely responses to an ever-changing landscape of threats.