Forget state spying and grudge attacks, financial gain remains the key driver for cyber-crime in nearly nine in 10 (86%) incidents, with the vast majority of breaches (70%) caused by external actors, and organised crime accounting for over half (55%) of these.
That is according to the Verizon Business 2020 Data Breach Investigations Report (2020 DBIR) – now in its 13th year – which analysed 32,002 security incidents, of which 3,950 were confirmed breaches; almost double the 2,013 breaches analysed last year.
Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), and specifically nearly two in five (37%) of credential theft breaches used stolen or weak credentials, a quarter (25%) involved phishing, while human error accounted for just over one on five (22%).
The report also exposes a year-over-year two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases – a worrying trend as business-critical workflows continue to move to the cloud, the report says.
Ransomware also saw a slight increase, up to 27% of malware incidents (compared to 24% in 2019), although 18% of organisations reported blocking at least one piece of ransomware last year.
Concerns over working from home
Verizon Business chief executive Tami Erwin said: “As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount. In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”
The report also re-emphasises the common patterns found within cyber-attacks, enabling organisations to determine the bad actors’ destination while they are in progress.
Linked to the order of threat actions (error, malware, physical, hacking), these breach pathways can help predict the eventual breach target, enabling attacks to be stopped in their tracks. Organisations are therefore able to gain a “Defender’s Advantage” and better understand where to focus their security defences, the study insists.
Smaller businesses are not immune
The growing number of small and medium-sized businesses using cloud- and web-based applications and tools has made them prime targets for cyber-attackers. Phishing is now the biggest threat for small organisations, accounting for nearly a third (30%) of breaches, followed by the use of stolen credentials (27%) and password dumpers (16%).
Attackers targeted credentials, personal data and other internal business-related data such as medical records, internal secrets or payment information. Over 20% of attacks were against web applications, and involved the use of stolen credentials.
Industries under the cyber-spotlight
The 2020 DBIR now includes detailed analysis of 16 industries, and shows that, while security remains a challenge across the board, there are significant differences across verticals.
For example, in manufacturing, nearly a quarter (23%) of malware incidents involved ransomware, compared to three-fifths (61%) in the public sector and four-fifths (80%) in educational services. Errors accounted for a third (33%) of public sector breaches but only 12% of manufacturing.
Manufacturing: External actors leveraging malware, such as password dumpers, app data capturers and downloaders to obtain proprietary data for financial gain, account for 29% of manufacturing breaches.
Retail: Nearly all (99%) of incidents were financially-motivated, with payment data and personal credentials continuing to be prized. Web applications, rather than point of sale (POS) devices, are now the main cause of retail breaches.
Financial and insurance: Nearly a third (30%) of breaches were caused by web application attacks, primarily driven by external actors using stolen credentials to get access to sensitive data stored in the cloud. The move to online services is a key factor.
Educational services: Ransomware attacks doubled this year, accounting for approximately four-fifths (80%) of malware attacks compared to last year’s 45%, and social engineering accounted for 27% of incidents.
Healthcare: Basic human error accounted for nearly a third (31%) of healthcare breaches, with external breaches at 51% (up from 42% in the 2019 report), slightly more common than insiders at 48% (59% last year). This vertical remains the industry with the highest number of internal bad actors, due to greater access to credentials.
Public sector: Ransomware accounted for three-fifths (61%) of malware-based incidents. A third (33%) of breaches are accidents caused by insiders. However, organisations have got much better at identifying breaches: only 6% lay undiscovered for a year compared with 47% previously, linked to legislative reporting requirements.
When it comes to regional variations, financially-motivated breaches in general accounted for 91% of cases in Northern America, compared to 70% in Europe, Middle East and Africa and 63% in Asia Pacific.
In Northern America, the technique most commonly leveraged was stolen credentials, accounting for nearly four-fifths (79%) of hacking breaches; a third (33%) of breaches were associated with either phishing or pretexting.
In the Europe, Middle East and Africa (EMEA) region, meanwhile, denial of service (DoS) attacks accounted for four-fifths (80%) of malware incidents; two-fifths (40%) of breaches targeted web applications, using a combination of hacking techniques that leverage either stolen credentials or known vulnerabilities. Finally, 14% of breaches were associated with cyber-espionage.
Finally, in Asia Pacific (APAC) 63% of breaches were financially-motivated, and phishing attacks are also high, at over 28%.
Verizon Business Data Breach Investigations Report lead author Alex Pinto said: “The headlines often talk about spying, or grudge attacks, as a key driver for cyber-crime – our data shows that is not the case. Financial gain continues to drive organised crime to exploit system vulnerabilities or human error.
“The good news is that there is a lot that organisations can do to protect themselves, including the ability to track common patterns within cyber-attack journeys – a security game changer – that puts control back into the hands of organisations around the globe.”
Fresh delay to Marriott and BA fines fuels ICO criticism
BA and Marriott block £282m GDPR fines – yet again
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR
Hack attack fears push UK cyber security to over £8bn
Data breaches, not rogues, are ICO Public Enemy No. 1
ICO ‘failings’ exposed as most probes come to nothing