Verizon recently issued the 2022 edition of their Data Breach Investigations Report (DBIR). This edition is number 15, so the editors took a look back at the data from their first report in 2008 to see what’s new and what’s changed. There’s a lot of interesting and useful data in the report.
Data Breaches in 2021
This year’s report was based on a comprehensive examination of 23,896 “security incidents.” Of those incidents, 5,212 were confirmed as data breaches.
Ransomware continues to be a growth business, up another 13% in 2021 and present in one out of every four data breaches. Even companies that are well prepared with backups and procedures for coping with a ransomware attack can suffer significant financial loss, since it takes time and work to recover from a ransomware attack, whether or not a ransom is paid. Loss of customer trust and brand equity may also take a significant toll following a ransomware attack.
Despite increasing cybersecurity awareness, and corporate efforts to improve training and put “foolproof” systems in place, 82% of all data breaches involved the human element, whether it was someone falling for a phishing attack, use of stolen credentials, or a mistake. Mistakes alone accounted for 13% of breaches. Among the most common contributing factors were misconfigured cloud storage and unmanaged devices.
Perhaps Douglas Adams was right when he said, “A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.” For years, the cybersecurity industry has been struggling to stay one step ahead of those very ingenious and not-so-foolish “fools.” To be fair, many cybercriminals today are exceptionally sophisticated. Even careful, knowledgeable employees can fall victim to some of today’s clever attacks – it’s not only fools who make mistakes.
One of the challenges inherent in combatting phishing is that it is a function of huge volume. The vast majority of employees never actually click on a phishing email, and an even vaster majority of phishing emails never get clicked, or even opened. Yet the volume of phishing attacks is so high that the 2.9% of users that do click through are sufficient to touch off a huge number of data breaches and ransomware attacks.
The Rise of Hacktivism
In 95% of the attacks on all organization by external actors, financial or personal gain was the motive behind the attack.
For larger organizations in particular, however, that number drops to 71%. “Hacktivism,” hacking into an organization as a type of civil disobedience and protest, accounts for fully 25% of the data breaches.
What’s Changed in 15 Years
While some things haven’t changed, there have been drastic changes in other areas:
- The explosion of ransomware. Even though ransomware has been around since 1989, it was rare until the last few years. Ransomware was barely on the radar in 2008, it was not until 2013 that the DBIR found it worth commenting on. Today 25% of breaches are ransomware attacks. The DBIR doesn’t speculate on why ransomware has taken off, but it seems to us that there are three important factors: 1) Cryptocurrency which simplifies anonymous payments, 2) Ransomware-as-a-Service, which makes it easy for people with minimal hacking skills to get into the ransomware business, and 3) It works.
- The type of data being compromised. In 2008, payment card data was the most popular compromise. Now it’s credentials and personal data. With credit card companies deploying increasingly sophisticated anti-fraud tools, payment card data is less useful than it was 15 years ago. Credentials and personal data are useful for financial fraud.
- Espionage has grown as a motive. It wasn’t even on the radar as recently as 2015, but for the last few years it’s been in second place.
- Social engineering, such as phishing, has grown as an attack method.
- Supply chain breaches are up, now 62% of system intrusion attacks. This probably reflects more ways in which companies are working together and relying on freelancers.
15-Year Trends – What’s the Same
As the French say, plus ça change, plus c’est la même chose, “the more things change, the more they stay the same.” Some things haven’t changed much in the last 15 years:
- Internal actors were responsible for 18% of the breaches in 2008; in 2022 the number is only slightly higher, 20%.
- Web application hacking continues to be main action vector for both breaches and incidents, with email coming in second.
- Financial gain has been the top motive since the DBIR started tracking it in 2015.
- 90% of attacks target servers, with a sprinkling targeting user and networking devices. This figure is relatively unchanged from 2008, despite the proliferation of mobile devices.
Web Applications: The Hacking Vector of Choice
Let’s take another look at the first two items we mentioned above as remaining stable over 15 years of DBIR reports:
First, that only 20% of data breaches were attributed to an insider – a figure that is termed “infrequent” in the report:
The relative infrequency of data breaches attributed to insiders may be surprising to some. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources.
Given that 82% of attacks involved a human element, it is crucial to note that attributed to an insider does not mean involving an insider. Instead, it means that an insider intentionally set about to breach the security of the organization they work for or have credentials to access for reasons including financial gain, personal or professional grudges, or just for the kicks.
This distinction is brought home by the second item we cited above as remaining constant – that web application hacking and email are the most frequent attack vectors. Users – including insiders — of course, play a critical, albeit often inadvertent, role in both.
Consider the most critical web application security risks, as classified by the Open Web Application Security Project (OWASP). In its most recent version, OWASP ranks broken access control as the most critical threat – with “access control” defined as “enforcement of policies such that users cannot act outside of their intended permissions.” Broken access control can result in “unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits.”
Today, with many employees working remotely from unmanaged devices, and more enterprises than ever delegating essential functions like payroll and billing to 3rd party contractors, enforcing access control is a significant challenge. These 3rd party users need access to corporate applications to accomplish their tasks, yet without the ability to install access controls on user devices, it’s challenging to restrict access to only the resources they need.
Web application firewalls (WAFs), the technology that has traditionally been used to control access, are no longer effective. A shocking 65% of respondents in a recent survey reported that attacks on their application layers bypassed their WAFs – one of the reasons that web applications top the DBIR attack vector list.
Reducing Data Breaches with Web Application Isolation
ZTEdge Web Application Isolation (WAI) is a Zero Trust, cloud-based approach that enables enforcement of least-privilege access control to corporate apps – on-premises, cloud and SaaS — from unmanaged devices. WAI routes all interactions via the Ericom Global Cloud, effectively airgapping apps to keep malware from unmanaged devices away.
Within the isolated cloud-based containers, granular per-user policies are applied to restrict what apps and data each user can access and how. Downloading, uploading and cut-and-paste capabilities can be restricted or blocked to protect sensitive data, and DLP applied to shield PII from exposure. WAI prevents data from being cached on user devices, so data will not be at risk if an unmanaged device is stolen or lost.
As a centrally managed solution, WAI does not require any software to be installed on user endpoints. Apps are accessed through whichever browser each user prefers to use – not a dedicated “enterprise” browser.
Cutting through all the data about different types of attacks and motives, the DBIR report emphasizes four key ways that breaches occur. The report states:
There are four key paths leading to your estate: Credentials, Phishing, Exploiting vulnerabilities and Botnets. These four pervade all areas of the DBIR, and no organization is safe without a plan to handle them all.
The best way to protect against all four is to implement a comprehensive Zero Trust-based cybersecurity solution such as ZTEdge, a cloud-delivered Secure Access Service Edge (SASE) that provides critical tools such as Remote Browser Isolation, Zero Trust Network Access, and built-in Identity and Access Management (IAM) as well as WAI.
To learn more about how ZTEdge can protect your organization from breaches, request a demo today.