C-level executives who have access to a company’s most sensitive information are now the major focus for social engineering attacks, alerts the Verizon 2019 Data Breach Investigations Report. Senior executives are 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in previous years – and financial motivation remains the key driver. Financially-motivated social engineering attacks (12% of all data breaches analysed) are a key topic in this year’s report, highlighting the critical need to ensure all levels of employees are made aware of the potential impact of cybercrime.
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video and other critical – often personal – data will be assembled and analysed at eye-blink speed, changing how applications utilise secure network capabilities,” said George Fischer, President of Verizon Global Enterprise. “Security must remain front and centre when implementing these new applications and architectures.
“Technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape so you can develop and action a solid plan to protect your business against the reality of cybercrime. Knowledge is power and Verizon’s DBIR offers organisations large and small a comprehensive overview of the cyberthreat landscape today so they can quickly develop effective defence strategies.”
A successful pretexting attack on senior executives can reap large dividends as a result of their – often unchallenged – approval authority, and privileged access into critical systems. Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through. The increasing success of social attacks such as business email compromises (BECS – which represent 370 incidents or 248 confirmed breaches of those analysed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.
This year’s findings also highlight how the growing trend to share and store information within cost-effective cloud-based solutions is exposing companies to additional security risks. Analysis found that there was a substantial shift towards compromise of cloud-based email accounts via the use of stolen credentials. In addition, publishing errors in the cloud are increasing year-over-year. Misconfiguration (‘Miscellaneous Errors’) led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records analysed in the DBIR dataset. This accounts for 21% of breaches caused by errors.
Bryan Sartin, Executive Director of Security Professional Services at Verizon, commented: “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed. They really need access to cyberdetection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyberthreats. Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses and impacts the bottom line.”
Major findings in summary
The DBIR continues to deliver comprehensive data-driven analysis of the cyberthreat landscape. Major findings of the 2019 report include:
- New analysis from FBI Internet Crime Complaint Center (IC3): Provides insightful analysis of the impact of Business Email Compromises (BECs) and Computer Data Breaches (CDBs). The findings highlight how BECs can be remedied. When the IC3 Recovery Asset Team acts upon BECs and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered
- Attacks on Human Resource personnel have decreased from last year: Findings saw six times fewer Human Resource personnel being impacted this year compared to last, correlating with W-2 tax form scams almost disappearing from the DBIR dataset
- Chip and Pin payment technology has started delivering security dividends: The number of physical terminal compromises in payment card-related breaches is decreasing compared to web application compromises
- Ransomware attacks are still going strong: They account for nearly 24% of incidents where malware was used. Ransomware has become so commonplace that it is less frequently mentioned in the specialised media unless there is a high profile target
- Media-hyped cryptomining attacks were hardly existent: These types of attacks were not listed in the top 10 malware varieties and only accounted for roughly 2% of incidents
- Outsider threats remain dominant: External threat actors are still the primary force behind attacks (69% of breaches) with insiders accounting for 34%
Putting business sectors under the microscope
Once again, this year’s report highlights the biggest threats faced by individual industries and also offers guidance on what companies can do to mitigate against these risks.
“Every year we analyse data and alert companies as to the latest cybercriminal trends in order for them to refocus their security strategies and proactively protect their businesses from cyberthreats. However, even though we see specific targets and attack locations change, ultimately the tactics used by the criminals remain the same. There is an urgent need for businesses – large and small – to put the security of their business and protection of customer data first. Often even basic security practices and common sense deter cybercrime,” said Sartin.
Industry findings of note include:
- Educational Services: There was a noticeable shift towards financially-motivated crime (80%). A total of 35% of all breaches were due to human error and approximately a quarter of breaches arose from web application attacks, most of which were attributable to the use of stolen credentials used to access cloud-based email
- Healthcare: This business sector continues to be the only industry to show a greater number of insider compared to external attacks (60 versus 42% respectively). Unsurprisingly, medical data is 18 times more likely to be compromised in this industry and when an internal actor is involved, it is 14 times more likely to be a medical professional such as a doctor or nurse
- Manufacturing: For the second year in a row, financially-motivated attacks outnumber cyberespionage as the main reason for breaches in manufacturing and this year by a more significant percentage (68%)
- Public Sector: Cyberespionage rose this year – however, nearly 47% of breaches were only discovered years after the initial attack
- Retail: Since 2015, Point of Sale (PoS) breaches have decreased by a factor of 10, while Web Application breaches are now 13 times more likely
(More findings on all individual industries may be located in the full report).
More data from highest number of contributors ever means deeper insights
“We are privileged to include data from more contributors this year than ever before and had the pleasure of welcoming the FBI into our fold for the very first time,” said Sartin. “We are able to provide the valuable insights from our DBIR research as a result of the participation of our renowned contributors. We would like to thank them all for their continued support and welcome other organisations from around the world to join us in our forthcoming editions.”
Heavily involved in the creation of the DBIR was the research team at computer and network security company, Rapid7. Bob Rudis, Chief Data Scientist at Rapid7, commented on this telling graph in particular: “There are (at least) two disturbing trends in the 2019 DBIR. First, the rise of breaches involving state-affiliated actors, which is set to eclipse organised crime actors as the apex adversary and secondly, the data-backed confirmation that we are definitely facing adaptable adversaries who will do almost anything to get what they want.
“I suspect many incompetent audit departments are going to zoom in on that ‘System Admin’ line with utter glee and use it to double down on draconian findings that do little more than impair the ability of security teams to focus on real threats. If you read the nearby text in the DBIR you’ll see that most of these ‘System Admin’-caused breaches are — in fact — due to errors rather than rogue admins planting logic bombs. These errors are generally server misconfigurations, something we see a great deal of in Rapid7’s Project Heisenberg and Project Sonar research, or data left out in the open on cloud services such as Amazon’s S3.”
This is the 12th edition of the DBIR and boasts the highest number of global contributors so far – 73 contributors since its launch in 2008. It contains analysis of 41,686 security incidents, which includes 2,013 confirmed breaches. With this increase of contributors, Verizon saw a substantial increase of data to be analysed, totalling approximately 1.5 billion data points of non-incident data.
This year’s report also debuts new metrics and reasoning which helps identify which services are seen as the most lucrative for attackers to both scan for and attack at scale. This analysis is based on honeypot and Internet scan data.
The complete Verizon 2019 Data Breach Investigations Report as well as Executive summary is available on the DBIR resource page.