Poor visibility into the activities of home workers has security experts expecting a “huge surge” in demand as the COVID-19 pandemic resolves, a regional Verizon security executive has predicted as the company launches the latest update of its regular deep dive into global security incidents.

Verizon’s Data Breach Investigations Report (DBIR) 2020 – which analysed 32,002 security incidents including 3,950 confirmed security breaches – showed an encouraging reduction in the percentage of breaches attributable to poor patching, with which business and government organisations have long struggled.

With less than 5 per cent of breaches involving exploitation of a vulnerability, the report’s authors concluded, companies seem to be doing “a good job” when it comes to patching application vulnerabilities – one of several core recommendations in the widely-referenced ASD Essential Eight – “so keep it up”, they advised.

“It seems that a lot of the security programs that have been funded over the last few years are having an effect on getting some of that basic hygiene right,” Ashish Thapar, managing principal for Asia Pacific with Verizon’s Threat Research Advisory Centre (VTRAC), told Information Age.

“There are certain things that are definitely working, and should continue to flourish and improve.”

Getting it right – and wrong

The findings – which also included a suggestion that security tools are getting better at blocking common malware – were a bright spot in a report peppered with statistics suggesting cybercriminals are exploiting companies using attack methods that require far less technical skill than in the past.

Attacks on web applications doubled to account for 43 per cent of all confirmed breaches in 2019, while ransomware had surged to 27 per cent of malware incidents.

Ransomware’s growth has seen a growing list of victims like Toll Group, whose business was thrown into chaos for the second time this year after a recent ransomware attack.

Also surging was the cybercriminals’ focus on personal data – which was compromised in 58 per cent of breaches – and the volume of attacks attributed to organised cybercriminal groups, which soared from 39 per cent of breaches in 2018 to 55 per cent in 2019.

This jump heralded a massive spike in targeted crime for financial gain, but many companies were also kicking own-goals – with the proportion of breaches due to an error doubling over the previous year, to 17 per cent.

This put errors into the top-three breach causes for the first time ever, along with credential theft and social-media attacks – making it a particular concern for Thapar.

High rates of error-caused breaches, he said, suggest that many companies are moving quickly to cloud-based platforms without properly securing the data they hold.

“It’s easy to spin up services in the cloud and spin them down,” he explained, “but it’s also easy to misconfigure these platforms.”

“Just because it’s in the cloud doesn’t mean that you don’t have to apply the same amount of security rigour you apply to data sets that are sitting in your own data centres.”

A worrying baseline

Despite “steady declines” in exploits of software vulnerabilities, growth in other attack methods during 2019 painted a worrying picture for 2020 – with the global shift to remote working opening up new vectors for attack that won’t be fully clear until next year’s report.

“Because of the forced disruption that has happened in many organisations, they were caught completely unawares about how to start remote working,” Thapar explained.

“They were opening up firewall policies for VPN and secure remote access, and this has given an ample amount of opportunity for the bad guys to take advantage of gullible users.”

It had also created new opportunities for malicious insiders who may be tempted to seize upon their newfound freedoms to instigate theft, fraud, or compromise of newly exposed systems.

This threat has been considered serious enough by the NSW Independent Commission for Corruption that it recently released guidance about the new security risks posed in the COVID-19 environment.

“Both literally and figuratively, COVID-19 means that staff are being left to their own devices, which is often associated with an increase in corrupt conduct in the limited number of employees who lack integrity,” the agency said in recommending protective policies.

Yet with businesses scrambling just to keep the wheels on, Thapar said many security staff were flying blind for the moment – and expects security consultants will be flat-out helping them catch up as easing restrictions let staff refocus their watch.

“There are less eyes on the screen right now,” he said, “and many people will come back to realise that something has happened, and they missed it in all the disruption.”

“We are already planning for a huge surge in our case work when organisations start opening up and bringing back eyes on the screen – but right now, that lack of availability, and lack of visibility to core systems, is taking its toll.”