The number of ransomware incidents grew more during 2021 than in the five years before, and crime networks are now responsible for 4 out of 5 cyber attacks.

The findings headline a compendium of new data analysing the 23,896 security incidents and 5,212 confirmed data breaches contained in Verizon’s 2022 Data Breach Investigations Report (DBIR).

The report – which found that nearly half of all breaches were caused by compromised credentials and that 82 per cent involved human error – labelled the past year’s cyber security climate as “extraordinary” and noted that “financially-motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”

Four key vectors – credentials, phishing, exploiting vulnerabilities, and the use of botnets – were singled out as the key mechanisms by which cybercriminals compromise their targets and, the report’s authors note, “no organisation is safe without a plan to handle them all”.

Organisations were also being regularly compromised through lateral movement from insecure business partners, whose access to key company systems may be necessary to support business relationships but opens up entirely new ways for cybercriminals to access sensitive systems.

Fully 62 per cent of 3,403 reported system intrusions were due to vulnerabilities in partners’ systems, the analysis found – and while the median number of records compromised per breach has actually dropped over time, improved targeting had actually helped cybercriminals become more effective at using ransomware to monetise the data they steal.

And while early ransomware attacks were one-off “nuisance” events, Verizon security solutions consultant Aaron Sharp told Information Age, cybercriminals’ increasing sophistication had turned them into full-blown data breaches – and a primary attack method, with ransomware found in nearly 70 per cent of malware breaches.

“Ransomware isn’t just locking and encrypting your device anymore,” he said. “They’re exfiltrating data before they encrypt it, so that they’ve potentially got a secondary way to monetise that data.”

The distinction had previously led to many companies failing to report ransomware attacks as data breaches under Australia’s notifiable data breach (NDB) legislation – a challenge that last year had Australian Information Commissioner (OAIC) Angelene Falk “concerned that some entities may not be reporting all eligible data breaches involving ransomware.”

Indeed, recent surveys suggest that even the DBIR’s findings may be underreporting ransomware’s true extent.

Fully 22 per cent of IT decision makers said they had or would pay a ransom in the last year, according to a recent Thales report, while a recent ExtraHop survey found that 85 per cent of Australian organisations had suffered a ransomware incident in the last five years – and that 72 per cent tried to keep it quiet.

Stop kicking own-goals

For all the cybercriminals’ success in weaponising ransomware and breaching target systems with stolen credentials available in dark-web markets, the DBIR identified a broad range of other issues that are, as in previous years, leaving companies exposed to compromise.

Poorly controlled remote-access systems were creating problems, with desktop sharing software – use of which has surged during the COVID-19 pandemic – exploited to access victim networks in nearly 20 per cent of breaches.

“Unfortunately, if you can access the asset directly over the internet simply by entering the credentials,” the report notes, “so can the criminals.”

The continued prevalence of human error highlighted the importance of both employee training and built-in security controls to ensure that human oversight doesn’t compromise new systems, such as the cloud services amassing swathes of sensitive corporate data.

Such errors contributed to 13 per cent of all breaches observed in the DBIR, Verizon’s security team noted, with this number “heavily influenced by misconfigured cloud storage… the fallibility of employees should not be discounted.”

Particularly concerning is the fact that 81 per cent of data compromised in this way is personal data – suggesting that companies’ voracious appetite for customer data is creating unintended consequences as cybercriminals raid the honeypots they have created.

Cloud providers are getting better at tightening the screws by imposing “security by default” obligations, Verizon APJ senior manager and head of investigative response Anshuman Sharma said, so that “if you don’t allow something, it will be denied by default.”

Yet in the long term, he added, companies wanting to improve their overall posture need to ensure they’re investing enough in employee education and training.

The human element “is always referred to as the weakest link,” Sharma said, “but I always feel that with proper awareness and skills-based training on the awareness side – followed by a culture of security where everyone feels accountable and are more than happy to report issues – we can make the human element the strongest link.”