Verizon has released its 2019 Data Breach Investigations Report. The annual report provides an in-depth analysis of global data breaches, new cyberattack trends, and an overview of the current threat landscape.
This is the 12th consecutive year that Verizon has produced the report and this year’s instalment is most extensive DBIR report released to date. Verizon now collects data from 73 sources and included 41,686 reported security incidents and 2,013 data breaches in this year’s report.
The report shows that there was a slight decline in financially motivated cyberattacks in 2018, dropping from 76% of attacks in 2017 to 71% in 2018. The decline is partly due to an increase in activity by nation-state actors seeking access to sensitive information. Cyber-espionage related data breaches accounted for 13% of all data breaches in 2017. The percentage has now risen to 25%. Attacks attributed to nation-states rose from 12% in 2017 to 23% in 2018. The public sector saw an increase of 168% in cyber-espionage related breaches in 2018.
Email-based attacks continue to cause problems for both the public and private sectors. Phishing was involved in 32% of all data breaches and 78% of all cyber-espionage-related breaches in 2018. 90% of malware was delivered by email, and 60% of web application attacks were on cloud email servers. BEC attacks continue to rise and resulted in huge losses for businesses in 2018. BEC attacks accounted for 12% of all data breaches in 2018.
There is some good news on the phishing front. Data collected from phishing simulation platform providers shows employees are getting better at recognizing simulated phishing emails, which shows security awareness training is having an impact. However, mobile users still remain vulnerable to both phishing and social media attacks. 18% of individuals who responded to phishing email simulations did so on a mobile device.
Theft of email credentials is still a major goal in many cyberattacks. Stolen credentials can be used for phishing campaigns, BEC attacks, and to spread laterally within an organization. There was a significant increase in the number of attacks involving compromised credentials in 2018.
Spear phishing attacks on businesses have increased and the C-Suite is being extensively targeted. Verizon notes that C-suite executives are 12 times more likely to be the target of social engineering incidents and nine times as likely to be the targets in social engineering-related data breaches. Security incidents and data breaches involving the C-suite increased from single to double digits in 2018.
With the exception of the healthcare industry, most cyberattacks were perpetrated by outsiders (69%). 34% involved insiders to some degree. In healthcare 59% of attacks involved insiders and 42% involved external parties.
The healthcare industry continues to be extensively targeted by cybercriminals and accounted for 15% of all data breaches. That figure was topped by public sector entities, which accounted for 16% of breaches, but small businesses are most at risk and registered 43% of data breaches.
Hacking was the leading cause of breaches (52%), followed by social attacks (33%), malware (28%), errors (21%), and misuse by authorized users (14%).
While cryptocurrency mining has attracted a lot of press coverage in the past 12 months and has been widely cited as posing the biggest threat to businesses, the 2019 DBIR indicates only 2% of data breaches involved cryptocurrency mining. That suggests either the threat isn’t as severe as has been reported, incidents involving cryptocurrency mining are not being reported, or attacks are not being discovered.
Ransomware attacks attract a lot of press coverage but were the second most common type of malware used in attacks. They accounted for 24% of malware-related breaches. The majority of those attacks were reported by healthcare organizations.
For the first time, breaches of web-based payment systems overtook physical POS devices as the main location of payment card related breaches. Verizon suggests that this may be due to the introduction of chip and PIN payment technologies.
While attacks on the C-suite have increased, attacks on HR departments have fallen. In 2018, there were six times fewer breaches involving HR personnel than the previous year. Verizon notes that while 2017 saw many W-2 form related phishing attacks reported, there were next to none in this year’s data set.
Cybersecurity incidents and breaches are increasing, and the tactics and techniques being used to gain access to business networks have changed, but in the most part these breaches can still be prevented with good cybersecurity hygiene and standard cybersecurity solutions.
Verizon notes that a majority of the reported phishing-related data breaches and BEC attacks could have been prevented simply by implementing 2-factor authentication.