Verizon Business have released their 17th Data Breach Investigations Report (DBIR).
Some 15 per cent of breaches last year involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. Most breaches (68pc), whether they include a third party or not, involve a non-malicious human element, whether a person making an error or falling prey to a social engineering attack; about the same percentage as last year. About one in three, 32pc of all breaches involved some type of extortion technique, including ransomware.
Chris Novak, Senior Director of Cybersecurity Consulting at Verizon Business, said that while the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach. He said: โThe persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce.”
Globally, the exploitation of vulnerabilities as an initial point of entry increased since last year, accounting for 14pc of all breaches; in no small part due to the inter-connectedness of supply chains, according to Alistair Neil, EMEA Senior Director of Security, Verizon Business. This spike was driven primarily by the scope and growing frequency of zero-day exploits by ransomware actors, most notably the MOVEit breach.
Among the findings
Over the past ten years, the Use of stolen credentials has appeared in about three in ten (31pc) of all breaches. While half of the reaches in EMEA are internal, espionage attacks continue to dominate in APAC region.
Comments
Kevin Robertson, COO at Acumen, said:
“The headline stat from this report is that AI is not the huge threat it has been painted as. Attackers clearly don’t need to rely on Generative AI to launch attacks, not when companies are still failing at basic cyber security hygiene practices, which provides criminals with guaranteed access into their networks, with minimal effort. Today skilled malware developers are much better than AI, so they don’t need it. Plus, it also doesn’t lower the barrier to entry into cybercrime, because RaaS gangs box-pack ransomware, opening the threat up to less skilled adversaries.
“Verizon also highlights how vulnerabilities in ubiquitous software continues to put organisations at serious risk. Microsoft is responsible for a huge volume of these vulnerabilities and it has a duty to better serve its customers and deliver more secure software. Criminals are clearly banking on Zero Days to launch attacks on businesses, often relying on delays in organisations’ patching windows. Microsoft must take responsibility for this, otherwise, it’s their valued customers that are suffering the real consequences.
“Organisations must also learn from these findings and use them as a catalyst to improve their own cyber security processes. If this isnโt possible due to a shortage of internal cyber security personnel, itโs time to look at outsourcing to organisations who are experts in the field. These dedicated businesses can fill any gaps that are leaving organisations vulnerable to attack. This reduces the need for internal cyber security resources, cuts costs and significantly improves enterprise cyber security resilience. Providing a win, win, win to their customers.โ
And William Wright, CEO of Closed Door Security, said: โDespite the endless cycle of breaches that are disclosed in the media every day, organisations are clearly still very far away from cyber security maturity. The Verizon DBIR shows itโs the still the basics security errors putting organisations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams.
“This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organisation is now facing over a billion in losses. No other organisation wants to find itself in this position.
“Organisations instead must adopt processes where patches are applied frequently and critical vulnerabilities receive immediate updates, even if they are outside of regular patch windows. Employees must be trained regularly and MFA must be adopted to increase defences against phishing. This also must be thoroughly tested to ensure there are no gaps that could put a business at risk.โ
