Key Security Trends in the Verizon Data Breach Investigations Report

Posted by Mark Greisiger

A Q&A with David Hylender

2017 marked the tenth year for the Verizon Data Breach Investigation Report, an invaluable resource for understanding the current landscape in cyber security. This year 65 organizations from around the world reported 1,935 confirmed breaches and 42,068 data loss incidents. I asked David Hylender, senior risk analyst at Verizon Business, about the findings and key takeaways from this most recent edition.

We are still seeing that basic security measures are not being put into place. In 81 percent of breaches, attackers leveraged stolen, weak or guessable passwords.

Ransomware continues to gain in frequency.
We saw the number of incidents involving ransomware shoot up this year, with a 50 percent increase from last year. In certain industries, such as healthcare, it was more prominent. In earlier days, ransomware seemed more sporadic and aimed at individual users and their personal computers or laptops. Now it’s become ubiquitous, affecting both larger and smaller organizations. The reason for this is it’s relatively easy for the criminal who stands to make a great deal of money with a slim chance of being caught, and it can be done from a great distance. One other important thing we’re seeing with ransomware is that it has become more sophisticated and not as easily detectible right away.

Cyber espionage is also growing.
We only added cyber espionage—which can include anything from corporate spying to nation states’ military spying—to our report a few years ago, and it has been growing steadily over the  past two or three years. This year, it was present in 21 percent of cases that were analyzed, roughly a fifth of all data breaches. We saw it more frequently in the manufacturing and public sector, which makes sense but we also saw it taking a role in the education vertical which is interesting. We don’t have enough definite data to explain it but I would surmise that attackers can more easily gain access to universities than military industrial complexes or well known corporations yet they can access some of the same data as it’s being researched and developed in the university setting.

Small organizations are being attacked increasingly.
We saw that 61 percent of victims of attacks were organizations with fewer than 1,000 employees. We know that smaller organizations may struggle to protect their assets and while the bigger payoffs are at the larger companies, attackers can hit smaller companies and profit easily. Unfortunately this means smaller organizations are vulnerable.

Security still comes down to the basics.
The reality is most companies are attacked at some point and often (but not always), if they handle the security basics well, they can protect their data. If the attacker has to work too hard, it will not be worth their time and they can move on to an easier mark. We are still seeing that basic security measures are not being put into place. In 81 percent of breaches, attackers leveraged stolen, weak or guessable passwords. Many organizations still lack multifactor authentication, encryption of data or still have a lack of password hygiene that makes them susceptible to a dictionary or brute force attack. These are very cheap security solutions and it can be reasonably expected that almost  anyone,  even a mom and pop business, should have them. What’s interesting is we see it across the spectrum from large, multinational to midsize to small companies.

Phishing is still paying off for attackers.
This type of social attack, when an attacker sends an email to someone which then tricks the recipient into providing information they shouldn’t or (more often) dupes them into clicking on a link or attachment that is malicious, is extremely effective. Attackers are using this method to get malware on the end users system. Then the attacker uses this laptop or desktop to infect other assets inside the victims network. 95 percent of phishing attacks we saw began with someone clicking something that installed malware on their system.

Pretexting is on the rise.
Pretexting is similar to phishing but more involved. With pretexting, the user receives an email purporting to be from someone it is not. For instance, an employee in payroll or finance might receive an email that appears to come from the CFO stating that he or she is on vacation, and requesting information or asking the recipient to authorize an ACH transaction for them. It takes phishing a step (or sometimes many steps) further, even on occasion to the point that it accurately mimics the victim’s style of writing and so on. Additionally, it some cases it is actually coming from a legitimate email address because the email account was previously hacked. Pretexting is very hard to detect and companies need to create policies and procedures, such as insisting that employees not share sensitive data over email or initiate wire transfers based solely on email or without a secondary approver. These and other steps can be taken to protect against this type of action.

In summary…
We want to thank Mr. Hylender for his insights into the Verizon DBIR computer crime study. We are a proud contributor to the Verizon study and every year the NetDiligence team eagerly delves into the interesting findings in the report. Many of our cyber risk insurance partners also look to this analytical research to learn more about the risk realities facing their business policyholders and we appreciate that experts such as Dave Hylender and his colleague Chris Novak take the time to share their knowledge. Finally, for our eRiskHub owners/users, please check out a risk manager tool inside your Hub portal that leverages some of this research data to show “cause of loss” threats impacting various business sectors.