Each year, Verizon researchers release the annual Data Breach Investigations Report (DBIR). Verizon began releasing the report in 2008, and for the past 15 years, the DBIR has been one of the most influential and highly-regarded reports in the cybersecurity industry. The report examines the most dominant trends in data breaches and cyberattacks throughout the world.
Let’s take a look at some of the key takeaways from this year’s 108-page report.
- The DBIR lists four of the most common paths used by attackers in data breaches: compromised credentials, phishing, exploiting vulnerabilities, and botnets.
- The report also found that ransomware has continued an upward trend with a 13 percent increase from the previous year.
- 2021 taught us that supply chain breaches can lead to a wide range of consequences. Remember the Colonial Pipeline hack?
- Error continues to be a dominant trend and is responsible for 13 percent of breaches—a finding heavily influenced by misconfigured cloud storage.
- This year, 82 percent of breaches involved some sort of human element. From stolen credentials, misuse, phishing, or simply an error, people play a large role in security breaches.
It’s notable that some of these issues have been at the forefront of the DBIR for a number of years. What do these findings mean for your company, and how can your organization use the DBIR to make smarter security decisions? BARR experts are here to help you out.
If we’ve known about the four most common paths used by attackers (compromised credentials, phishing, exploiting vulnerabilities, and botnets) for years, why do they continue to be a problem?
“Security is a hard-to-hit moving target,” said Swathi West, healthcare and privacy manager at BARR Advisory. “As fast as we’re trying to fix problems, we’re simply not always catching up to the bad guys.”
West also mentioned that some of the most common pathways attackers use, like misused credentials and phishing scams, cannot be fixed with a simple tool or new security protocol because they’re a result of human behavior. Changing human behavior can be much more difficult than installing a new security tool.
Another common theme of the DBIR is that data breaches pervade all industries. It’s not just companies with the most valuable data, like credit card information or protected patient information, that are at risk of a data breach.
“Some industries, maybe just by bad luck, are randomly chosen as targets,” said Julie Mungai, manager in BARR’s Cyber Risk Advisory practice. “Even email addresses can be valuable to some attackers. Being a startup and thinking you don’t store or process valuable data doesn’t mean you aren’t vulnerable.”
How can companies use this report to improve their security program?
“From a risk assessment perspective, consider this report free threat intelligence. For companies not sure where to start on their security journey, the DBIR shows you where to focus,” said Brad Thies, president and founder of BARR Advisory.
“Ask yourself, where is your risk with credentials? Phishing? How are you managing vulnerabilities and your triage response? Would you even know if a botnet had taken over your network? If you can just bake in security to prevent those top four causes, you’re off to a great start,” Thies explained.
The report also has a number of helpful one-page guides for businesses to use. For example, page 75 of the report provides cybersecurity guidance for small businesses, and page 98 of the report has a how-to guide on measuring the effectiveness of security training. These one-pagers provide organizations with step-by-step instructions on what to prioritize with their security program—an invaluable resource for organizations that just don’t know where to start.
“If you do anything, leverage this information for deeper conversations internally,” said Dan Mathewson, Cyber Risk Advisory manager. Internal conversations about how to become a security resilient company are a great step in building a security culture.
Become a security-first company
Some organizations leave security on the backburner because they think the chance of a breach occurring is low. If we’ve learned anything from the data breaches of the past few years, it’s that security needs to be a priority for all organizations. Armed with the insight from the DBIR, organizations can use this information to become a security-first company.
“Security needs to be a part of company identity,” according to Thies. He discussed Equifax as an example of this. Prior to the notorious Equifax data breach in 2017, the company had a lax attitude in security and flawed security operations. After the breach, the company overhauled their security program and transformed their company identity to be security first. This included enhancing customer experience, building trust, becoming an industry leader in data security, and investing in security infrastructure.
“If you put stake in who you are, the outcomes are easier to attain,” Thies explained.
Ultimately, hackers aren’t interested in whether or not your company is compliant. They care about whether they can get into and navigate your system. Given the top four pathways in the DBIR remaining mostly the same since the report began, security professionals have been giving the same advice about MFA and security training for years. It’s difficult to create real, lasting change to your security program without establishing who you are as a security organization.
Interested in learning more about how to leverage the DBIR to improve your company’s security posture? Contact us today.