Reading between the Verizon 2021 Data Breach Investigation Report
This blog goes over the key takeaways from the 2021 Data Breach Investigation Report (DBIR) conducted by Verizon Communications Inc;
Verizon conducted an analysis of 79,635 security events that were considered a threat to the “integrity, confidentiality or availability of an information asset”. 29,207 of which met Verizon’s “quality standard” and 5,258 was the final total of confirmed cases of unsanctioned access and leaks of data.
Let's not waste any time and dive right in!
The most commonly used action (method) in data breaches (confirmed disclosure of data) was Social Engineering which made up 31% of cases. In second place stood Basic Web Application Attacks totalling 22%, and in third and fourth were System Intrusions and Miscellaneous Errors at 19% and 18%. The other four categories (Privilege Misuse, Lost and Stolen Assets, Denial of Service and Everything Else) made up a negligible size totalling 10%.
In comparison to breaches, the most commonly used action in data incidents (a security event that compromises an information asset) were noticeably similar, in terms of percentage ratio, having one significant difference, being that Denial of Service attacks ascended to the top making 50% of cases.
Phishing was the go-to method when it came to social engineering varieties having been present in 36% of breaches, an increase from last year of 25% - this, more than likely, has risen so significantly due to an increase in remote working because of COVID-19. Use of stolen credentials is also up there being present in a little over 20% of breaches.
Ransomware had a noticeable increase, doubling its frequency from last year and being present in 10% of breaches. Further, the main vector (path) hackers use to illicitly access information are web applications, being the lead cause of 90% of penetrations with desktop sharing gradually rising having reached the 5% threshold over the past year.
Organization size had less of a pronounced effect with both large and small organizations having a very similar number of attacks, further, reasons stayed consistent between the two with financial gain being the primary motive for attacks. Types of data compromised were also similarly aligned primarily being credential data and personal data. Lastly, the top methods for attacking both size varieties were, again, identical being System Intrusion, Miscellaneous Errors and Basic Web Application Attacks. These represent 80% of breaches in small and 74% of breaches in large organizations ranging from “simple to complex attacks” but “frequently focused on web infrastructure”.
Below is a spreadsheet breakdown of incidents and breaches recorded by Verizon’s 2021 Data Breach Investigation Report. This demonstrates the % likelihood of an incident or breach occurring across various industries.
Interestingly enough these numbers are more than likely a vast understatement signifying companies may be more susceptible to incidents, and in turn, breaches, than one might wish to hear. Whilst there’s a lot of ambiguity around the exact percentage of unreported breaches, two articles suggest that between 50% and 75% of all data breaches go unreported.
Whilst a surprisingly significant portion of attacks didn’t result in financial loss, when losses did occur, however, “Attackers continue to profit substantially from the adversity that befalls breach and incident victims” basing their cost on “what the market can bear”, for a small organization it may be negligible but for a large organization it is, more than likely, substantial. “When examining breaches that included a reported loss, 95% of BECs [Business Email Compromises] fell between $250 and $985,000 dollars with $30,000 being the median”. The Computer Data Breach (CDBs) attack category saw a loss ranging between $148 and $1.6 million with, again, $30,000 being the median. Finally, ransomware attacks had a range between $70 and $1.2 million with a median loss of $11,150.
Alongside monetary issues come data loss. Obscuration (data encryption), as an end result of ransomware installation, is the most common variety being seen in just under 80% of cases. Loss, due to “either a lost or stolen asset” comes second at 20%
It's not all doom and gloom!
The good news is there’s a potential chance to reverse the loss of funds. The IC3 Recovery Asset Team (RAT) can sometimes assist victims with freezing or possibly returning their funds. When the Recovery Asset Team acts on BECs ”half of all US-based business email compromises had 99% of the money either recovered or frozen, whereas only 11% had nothing at all recovered”. This, however, does not include additional costs or long-term blowback with the cost for Digital Forensics and Incident Response and legal counsel being the main issue alongside a damaged business model.
Ultimately there is no exclusion as to who can be affected by such events, from a large long-time running company to a newly-founded small business, everyone is liable. While keeping that in mind, it is worth noting that not all industries are equally exposed to attacks or threats with certain businesses towering above others due to factors such as the types of data handled and internet presence. “The infrastructure, and conversely the attack surface, largely drives the risk”.