Verizon recently released the 2022 edition of its Data Breach Investigations Report (DBIR), which offers the latest insights into how threat actors are operating, who they’re targeting, and what tactics they are likely to use against organizations like yours.
For its 15th annual report, the DBIR team analyzed 23,896 security incidents and 5,212 confirmed data breaches that took place between November 2020 and October 2021.
Some Key Findings
- Over half of breaches involved the use of either remote access or web applications.
- A whopping 82% of breaches involved a human element. Whether through the use of stolen credentials, phishing, misuse of organizational resources/privileges, or simply human error, people continue to play a very large role in incidents and breaches alike.
- 66% of breaches involved phishing, stolen credentials and/or ransomware.
- Ransomware increased 13% over the previous year—a jump greater than the last 5 years combined.
- Error continues to be a dominant trend and is responsible for 13% of breaches. This finding is heavily influenced by misconfigured cloud storage.
How Hackers Break In
According to the report, the 4 key paths to data breaches are:
- Stolen credentials;
- Phishing attacks;
- Exploiting vulnerabilities;
- Botnets (*Botnet is a blend of the words “robot” and “network”. The word refers to a group of devices which have been infected by malware and are remotely controlled by a malicious actor.)
No organization is safe without a plan to handle them all.
- 4 out of 5 breaches were attributable to organized crime;
- The number-one actor motive was financial gain. Most data thieves are professional criminals deliberately trying to steal information they can turn into cash.
Hacker Economics & Learning What To Protect
Cybercrime pays… but it’s also an expensive “business” for criminals. Larger criminal organizations who can afford the cost of skilled intrusion services to gain access to company networks are likely to go for riskier, bigger-payout attacks.
As a small to medium-sized organization, it’s the small-time criminal you have to worry about. This bad actor is less of a techie and more of a manager trying to minimize costs. This means they will not spend on professional intrusion services. Instead, they buy access products outright in the form of credentials, emails for phishing, vulnerabilities, or botnet access.
So, when thinking about protecting your organization, you should focus on access. If a bad actor has to pay for expensive intrusion services to break into your systems rather than just use an access product, you’ve made yourself much less of a target.
Some steps you can take to limit access include:
- Use antivirus to remove bots;
- Implement patching, filtering and asset management to prevent exposed vulnerabilities;
- Standardize two-factor authentication and password managers to minimize credential exposure;
- Lastly, with email being the largest vector, you can’t ignore the human element. Start with email and web filtering followed by a phishing training program.