Verizon’s Data Breach Report 2023 & Your Security Strategy

‘Know your enemy and know yourself, Sun Tzu, a philosophy for military strategies adopted by the business world is also sound advice for cyber security.  Different industries are susceptible to different methods of attack. Knowing what data you have and who wants it can help you in some way in designing your cyber security strategy.  To learn more about the threats you face, a good place to start is the  Verizon Data breach Investigations Report (DBIR) 2022.  

The Verizon data breach report 2023 team analysed 5,212 confirmed data breaches and 23,896 security incidents across sectors, industries and regions to build a comprehensive picture of the current cyber security risk landscape.

Spanning over 100 pages, the report is undoubtedly a lengthy read. While we also recommend looking through the whole paper, we’ve distilled the critical takeaways below.

The four paths to a company’s IT estate

The DBIR identifies four crucial vectors malicious actors typically use to infiltrate an enterprise’s IT estate: stolen credentials, phishing, exploiting vulnerabilities and botnets. Verizon notes these four paths are “pervasive” throughout the DBIR and urges organisations to address each appropriately.

The report also sheds light on the attack patterns threat actors use to exploit these four paths:

Web Application Attack: A web application attack is a broad-stroke term for a type of attack in which a malicious actor attempts to compromise the security of a web-based application. As covered in our overview of the OWASP Top 10 2021, these exploits can range from injection attacks to business logic failures. To combat this risk, organisations should combine the principles of privacy-by-design with rigorous dynamic testing and regular web application penetration tests.

Denial of Service: In a denial-of-service attack, attackers manage to render a service inaccessible to users. Typically, this is achieved by overloading the target’s systems with traffic to trigger an overload or system crash. The DBIR notes this form of attack is increasingly popular among hacktivists – attackers who carry out attacks with an underlying social or political motive.

Lost and Stolen Assets: These refer to cases where information assets either go missing or are stolen. Where a malicious actor has stolen an information asset, they can use them as a basis for a future attack.

Privilege Misuse: Privilege misuse refers to incidents where malicious actors exploit legitimate credentials for an unapproved use. There are numerous ways in which threat actors can procure these privileges, such as phishing attacks or exploiting configuration flaws.

Social Engineering: Social engineering attacks typically involve fraudulent emails sent to unwitting employees. The hope is they will download malicious software in an attached file or click through to a fraudulent site. Once they do this, they enter their username, password, or other sensitive information. These attacks were most prevalent in the financial sector in 2021.

System Intrusion: These are complex, multi-stage attacks in which the objective of the attack is to gain access to a target system, either as a means to steal sensitive data or deploy malware.

The rise of ransomware

Ransomware is a form of malicious software that encrypts files, and effectively holds them hostage until a ransom is paid. In 2021, ransomware was used in 25% of attacks, up 13% from the previous year. We have some sage advice here if you’ve ever wondered if you should pay ransomware.

The rising popularity of ransomware can be linked to its financial appeal. As the DBIR states, ransomware is an excellent “model of monetisation.”

The report notes emails (40%) and desktop sharing software (35%) are the most popular courses by which ransomware infiltrates a system. It further advises organisations to improve phishing training and better monitor remote desktop protocols to combat this threat.

For more on this topic, please read our ransomware 101 blog.

Attacks on supply chains

Supply chain attacks have taken centre stage over the past few years, with high-profile incidents affecting software vendors like Kaseya and SolarWinds making headlines across the globe.

In line with this, the DBIR discovered the supply chain was involved in 61% of data breaches over the last year. The report notes that supply chains are an extremely tempting target for malicious actors as “compromising the right partner is a force multiplier.”

Indeed, by infiltrating a supplier, a malicious actor could potentially access a wealth of data relating to its’ customers, partners and suppliers.

Attackers have also been known to use software suppliers (learn more about our cyber security for SaaS providers) as a foothold for island hopping attacks, where they exploit a security vulnerability in a technology vendor to move laterally to target its customers, suppliers or partners.

To improve the security of your supply chain, we advise you to embark on creating a supply chain cyber risk management programme, which is a formal programme for assessing and controlling the security risks associated with using third-party vendors.

Our guide to supply chain security is an excellent place to start if you’re new to this topic. If you would like more in-depth support, please get in touch about our supply chain security services.

Exploiting the human element

The DBIR states one-quarter of all data breaches last year resulted from successful social engineering attacks. Moreover, when human error and privilege misuse are combined, the human element accounts for a startling 82% of data breaches in 2021.

The human element refers to errors made by users that put information assets at risk. Common examples called out in the report include cloud misconfigurations, the use of weak passwords and the failure to implement patches.

The human element of cyber security is a multi-faceted problem. So, organisations must take a holistic approach. What is needed is a comprehensive risk management strategy, which incorporates the right security tools, incident response procedures and employee training to protect against the worst-case scenario.

Which method of cyber-attack targets which industries?  

For an in–depth view of the type of threat your industry is likely to be affected by, the report drills down to specific industries from Page 35 onward.  Below is a snapshot from some of the major industry verticals just to start you off.  

• Accommodation and food services are mainly targeted with POS attacks to harvest customers’ payment card data. These attacks are typically carried out by organised crime groups for financial gain and although it is commonly smaller businesses that are targeted, this doesn’t mean large organisations can rest easy as the recent attack on this major chain demonstrates.   
• Financial and Insurance companies are targeted most frequently with denial of service attacks and use of stolen credentials through compromised email accounts. The main motive for targeting this sector is financial (88%) with 10% being espionage.   
• The information  Industry suffers from miscellaneous errors, web applications and cyber espionage which represent 83% of breaches. 36% of the external hackers were state-affiliated.   
• Manufacturing has in recent years been targeted for espionage however although this is still a strong motivator, this sector has been experiencing an increase in financially motivated breaches in the last couple of years just like this ransomware attack earlier this year.  Most breaches involve phishing and the use of stolen credentials.   

Visit our industry pages to learn more about how we have helped organisations with: cyber security in the finance industry, cyber security for healthcare organisations, data protection and information security for SaaS providers, GDPR compliance and Cyber security services for schools and universities, and cyber security and penetration testing for the construction industry. 

How to defend your organisation   

The motive and method of cyber–attack will influence what you should focus your cyber security budget on, and the DBIR offers a range of great advice, however, the Achilles’ heel which comes up time and again is the human factor. Cyber Security training and awareness are therefore critical. 

The human factor can be the most challenging. Our advice would be to position training and awareness campaigns at the centre of your cyber security programme and not just with respect to phishing, social engineering or pretexting (where an individual lies to obtain privileged data) but for general mistakes such as misdelivery and erroneous publishing.  

Systems can help here too; you should set them up to limit the amount of damage an employee can do with existing privileges. Monitor your email for links and executables (including macro-enabled Office docs). Also, provide a way for employees to report potential phishing or pretexting.   

Review your cyber security strategy

Once you know what sort of cyber-attack you are most likely to experience and why you can marry that information with the location of your valuable information and how it could be accessed. A good place to start, if you haven’t done so already, is to review your cyber security strategy and ensure that it aligns with your business objectives. Going through this process will enable you to identify what data you have, where it’s stored, who has access to it and where it flows throughout the business including third-party suppliers. It’s the ultimate step in ‘knowing yourself’! 

Need help to develop your cyber security posture?

If you need help with developing your cyber security strategy or training and awareness, we can help. Contact us for advice or an informal chat on what you may need.