Verizon’s Data Breach Investigations Report 2021 – highlights

June 23rd, 2021 Posted in Data Protection

For 14 years now, Verizon has annually released the Data Breach Investigations Report (“DBIR”), which assesses what tactics and strategies cyber criminals have used to conduct data breaches in the last year. This year’s report is the biggest one yet, with the Verizon team analysing 5,258 data breaches from organisations around the world – up almost 1,500 from the previous report 

The 2021 instalment also shines a light on how the COVID-19 pandemic altered online criminal activity. For organisations of all sizes, the DBIR is a useful resource for understanding the current state of the cyber threat landscape. However, it is also 119 pages long – not exactly a lunchtime read!   

To save you hours of reading, we’ve distilled the key takeaways from the report into a much more digestible blog format. We do, of course, recommend that IT and business leaders take a look through the full report, as it has a wealth of useful insights. Meanwhile, to whet your appetite, here are the main findings:  

Ransomware rises in prominence and sophistication

In 2020, 10% of data breaches involved ransomware. This is double the frequency of 2019 and puts ransomware as the third most common cause of breaches. The Verizon team speculates that this rise was influenced by new tactics, whereby ransomware attackers “take a copy of the data for use as leverage against their victims prior to triggering the encryption”.  

This means that victims are more likely to pay a ransom because, as well as their files being deleted, they could also be leaked. This is an example of the ‘cyber arms race’ between attackers and security teams, in that organisations are starting to recognise that a good backup strategy could mitigate against encrypted files. Backups cannot, however, mitigate the risks of exfiltrated data being made available on the internet.  

You can read our blog on our view on how to protect your company from ransomware 

Cybercriminals are phishing for human negligence

The report found that 85% of breaches involved ‘a human element’, meaning employees or people with authorised access were manipulated by a cyber attacker, or their login credentials were stolen. The most common form of attack that involved employees was phishing. As background, phishing campaigns usually take the form of a fraudulent email, sent to unsuspecting employees in the hope they will download malicious software in an attached file, or click through to a fraudulent site and enter their username, and password, or other sensitive information. 

The report shows that phishing attacks saw a significant jump, from 25% in 2019 to 36% in 2020. Verizon notes that this rise correlates with the surge in COVID-19-related phishing lures at the onset of the pandemic, where cybercriminals took advantage of the move to remote work and international health scares by impersonating health bodies, co-workers and contractors over email.  

Business email compromise gains traction

Another type of social engineering attack to gain in prominence was Business Email Compromise (BEC), which was the second most common after phishing. BECs are attacks where a hacker gains access to a genuine business email account – usually someone who is high up the company ladder – and then deceives employees within the organisation through the email address, often asking them to transfer funds or share sensitive information.   

These attacks are especially lucrative because they come from a legitimate business email address. Often, employees will not think to question an order from an executive in their organisation, even if it does seem a little unusual.  

The growth of both BEC and phishing attacks is troublesome for organisations, but there are ways to reduce the likelihood of your employees falling for such a scam. In particular, security awareness training and employee phishing testing should be used in organisations of all sizes.  

Credentials are lucrative

As demonstrated with BEC, many social engineering attacks rely on password compromise, so it’s no surprise that 61% of breaches involved stolen credentials. For example, it’s common for an attacker to conduct a phishing campaign in a bid to gain login credentials, which could then be used to log in to a company’s systems and deploy malware.  

For organisations, this finding highlights the importance of controls to verify log-in credentials, such as multi-factor authentication. As well as this, organisations should enforce good access control practices – for example, mandating the use of passwords that meet minimum complexity requirements, requiring unique passwords for different systems or, even better, utilising a single sign-on tool, educating users not to share passwords, enforcing least privilege access and disabling user accounts and privileges as soon as they are no longer required. 

Size doesn’t matter

Verizon’s report indicates that cybercriminals are targeting organisations of all sizes. Their main motivation is financial reward, and as the report notes: “you don’t have to be a large organization to have a good chance that one of your members has received a malicious URL or even installed a malicious Android app.” 

However, while attackers have cast their net far and wide, organisations’ response times to breaches aren’t as level. The report notes that 55% of large organisations were able to find data breaches within days or less, while just 47% of smaller organisations were able to do the same. 

As we know, the time taken to find a breach can dramatically impact its severity. To that end, we recommend you read our incident response guide, for a full low-down on how to create a robust plan for finding and responding to potential data breaches.  

Need help?

If you need help or advice on how to manage your business’ cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat. 

Hannah Pisani 250 x 250

Written by Hannah Pisani

Hannah is our in house writer, working with consultants on articles, guides, advisories and blogs and writing our news updates on data protection and information security topics. She has a background in content creation and PR, specialising in technology, data and consumer topics. Her qualifications include a BA in English Language and Literature from Royal Holloway University, London.