Analysis of a just published key report looks at the conclusions taken from 32,000 security incidents, & 3,950 confirmed breaches from 81 countries.
Financial gain remains the top reason for cyber-crime despite extensive media coverage of espionage, accounting for 86% of breaches investigated in the Verizon Business 2020 Data Breach Investigations Report (DBIR).
The vast majority of breaches are caused by external factors – 70% – with organised crime representing 55% of these.
Credential theft & social attacks such as phishing and business email compromises cause the majority of breaches (more than 67%).
30% of credential theft breaches used stolen or weak credentials, & 25% involved phishing. Human error accounted for 22%.
- DBIR data continues to show that external factors are, as ever, always more common. Some 70% of breaches this past year were caused by outsiders.
- While espionage grabs the headlines, it accounts for just 10% of breaches in the data for this year. Some 86% of breaches continue to be financially motivated. Advanced threats account for just 4% of breaches.
- Credential theft, social attacks such as phishing and business email compromise and errors are the cause of most breaches (67% plus).
- Some 27% of malware incidents are ransomware, with 18% of organisations blocking at least one piece of ransomware.
- Attacks on web apps made up 43% of breaches, doubling the previous year’s figures. With the move of businesses to cloud services, it makes sense for attackers to follow. The most common methods use stolen or brute-forced credentials (more than 80%) while less than 20% exploit vulnerabilities.
- Personal data was involved in 58% of breaches, almost doubling on last year’s data. It included email addresses, names, phone numbers, physical addresses & other types of data found in an email or stored in a mis-configured database.
- The data showed a high number of internal-error-related breaches (881, v. last year’s 424). The report observed the increase is likely due to improved reporting requirements because of new legislation rather than more frequent mistakes from insiders.
- Security tools are doing a better job of blocking common malware. Data from the report shows that Trojan-type malware peaked at just under 50% of all breaches in 2016 & has since dropped to just 6.5% Malware sampling shows 45% of malware is from “droppers, backdoors or keyloggers”.
- Fewer than 5% of breaches involved the exploitation of a vulnerability. The data did not show attackers attempting these kinds of attacks that often. Just 2.5% of security information and event management (SIEM) events involved exploiting a vulnerability.
The 2020 DBIR report showed that common patterns could be found within cyber-attack journeys, enabling businesses to “determine the bad actors’ destination” while they are in progress.
When they are linked to the order of threat actions, whether through error, malware, physical, or hacking, breach pathways can be used to predict the target.
This means that the attacks can be stopped & so offer a “defender’s advantage”.
The report said a growing number of small & medium-sized businesses are using cloud & web-based applications & tools.
The take up has made them targets for cyber-attackers.
2020 DBIR findings show that phishing is the biggest threat for small firms, accounting for more than 30% of breaches.
Next comes the use of stolen credentials (27%) and password dumpers (16%). Most often, attackers targeted credentials, personal data & business-related data such as medical records, internal secrets, or payment information.
More than 20% of attacks were targeted web applications using stolen credentials.
- 86% of data breaches for financial gain – up from 71% in 2019
- Cloud-based data under attack – web application attacks double to 43%
- 67% of breaches caused by credential theft, errors & social attacks
- Clearly identified cyber-breach pathways enable a “defender advantage” in the fight against cyber-crime
- On-going patching has been successful – fewer than 1 in 20 breaches exploit weaknesses
The 2020 DBIR also provided a detailed analysis of industries, showing significant differences across sectors.
Sector – Manufacturing
29% of breaches come in the manufacturing sector, where external actors use malware such as password dumpers, app data capturers and downloaders to obtain proprietary data for financial gain.
Sector – Retail
Almost all of the incidents in retail were financially motivated – some 99%, where payment data & personal credentials were the goals. The main cause of retail breaches is via web applications, rather than Point of Sale (POS) devices.
Sector – Financial & insurance
Almost a third (30%) of breaches were caused by web application attacks. Most often this was primarily driven by external actors using stolen credentials to get access to sensitive data stored in the cloud. The transition to online services has been highlighted as a key factor.
Sector – Education
A doubling of ransomware attacks in 2020 makes up around 80% of malware attacks compared to 45% last year. Social engineering equals 27% of incidents.
Sector – Healthcare
Some 31% of healthcare breaches came from basic human error. External breaches were at 51%, up from 42% last year, slightly more common than insiders at 48% (59% in 2019). The industry has the highest number of internal bad players, because of more access to credentials.
61% of malware-based incidents were related to ransomware, while 33% of breaches were accidents caused by insiders. These types of organisations have improved on identifying breaches, with just 6% lying undiscovered for a year compared with 47% previously. This was linked to legislative reporting requirements.
It was found that financially motivated breaches, in general, accounted for 91% of cases in Northern America, compared to 70% in Europe, Middle East & Africa & 63% in Asia Pacific.
Northern America, the technique most commonly used was stolen credentials, accounting for more than 79% of hacking breaches. Some 33% of breaches were associated with either phishing or pretexting.
Europe, Middle East & Africa (EMEA) Denial of Service (DoS) attacks equalled more than 80% of malware incidents; 40% of breaches targeted web applications, using a combination of hacking techniques that leverage either stolen credentials or known vulnerabilities. 14% of breaches were associated with cyber-espionage.
Asia Pacific (APAC) 63% of breaches were financially motivated, & phishing attacks are also high, at over 28%.