Social engineering attacks were the most common cause of data breaches, and human error was rife during a tumultuous 2020, Verizon has reported in its latest Data Breach Investigations Report (DBIR).
With data on 29,207 incidents and 5,258 confirmed breaches – up a third compared with last year’s report – the 2021 edition of the DBIR fulfilled expectations set last year, when growing uncertainty around the escalating COVID-19 crisis led Verizon to predict that cyber criminals would take advantage of the confusion to increase their attack volume and ferocity.
“We were partially correct,” the report’s authors note, flagging an 11 per cent increase in phishing attacks compared to 2019 and a 6 per cent increase in ransomware during what they summed up as “quite a year”.
This surging climate of attack had kept security “on the minds of a lot more people than it used to be,” Prescott Pym, head of managed security services within Verizon’s Canberra-based security operations centre (SOC), told Information Age.
“We see a lot of organisations are a lot more mature, and putting security throughout processes – particularly in large projects that weren’t necessarily there before.”
That maturity suggests many organisations, pressured to accelerate their digital transformation due to the pressures of the past year, had heeded calls to build security into their projects from the ground up – an encouraging sign for those promoting DevOps and DevSecOps strategies for better security.
“I did have the fear that as we were going through this, with budgets being stripped back to make organisations more lean, that would impact some of the work they were doing around their programs,” Pym said. “But that wasn’t necessarily the case: organisations realise that security is still pretty critical.”
Yet people were still proving to be vulnerable, with cybercriminals targeting employees outside of their normal network protections using phishing ‘lures’ that tapped fear and uncertainty around the coronavirus and global governments’ response.
Fully 85 per cent of data breaches involved a human element, Verizon noted, with phishing present in 36 per cent of breaches – up from 25 per cent last year – and business email compromise (BEC) attacks weighing in as the second most-common form of social engineering attack.
Successful breaches were imposing a real cost on their victims, with Verizon reporting the median cost of cybersecurity incidents that had an impact as $27,820 ($US21,659) – and the top 5 per cent of incidents costing the victim company more than $839,000 ($US653,587).
“I can’t believe we haven’t solved phishing yet from a technology perspective,” Pym said, “because we can’t solve it from a people perspective. You can put processes in place, but at the end of the day people are still going to click on links.”
Cloud security, and its silver lining
Widespread changes in work patterns during 2020 – which saw millions of employees working from home using remote-desktop software – drove a surge in cybercriminal strategies that made desktop sharing tools the second most-exploited method of breaching a victim company’s network, behind web applications.
With pandemic-era pressures pushing many companies to cloud-based software-as-a-service (SaaS) tools – and other companies pushing developers to build digital services – growing reliance on web applications was reflected in Verizon’s numbers.
Compromised cloud assets “were more common than on-premises assets in both incidents and breaches”, the company observed, noting a simultaneous decline in the compromise of user devices such as laptops and desktops.
“This makes sense when we consider that breaches are moving toward social and web application vectors,” the report notes, “such as gathering credentials and using them against cloud-based email systems.”
Yet there were some measures of positivity, with the report identifying a decline in cloud misconfiguration (by 2 per cent) and accidental misdelivery of information errors (6 per cent) during 2020.
Cloud misconfiguration errors – which have repeatedly seen sensitive data published online when cloud-hosted ‘buckets’ are erroneously configured for public access – surged several years ago when the services were set up for public access by default.
The new figures, however, suggest that cloud software developers have finally gotten the security message, said Verizon Business Group security solutions consultant Aaron Sharp.
Indeed, errors overall decreased as a percentage of all breaches – from 22 per cent to 17 per cent – reversing a three-year trend in which errors had either grown or remained the same.
“You have to work pretty hard these days to make an Amazon S3 bucket public,” he explained, “and I think a lot of organisations are lifting their game, and looking at things like the Essential Eight, and doing basic hygiene around good security – and that is starting to pay dividends.”