The 2019 Verizon Data Breach Investigations Report published recently finds 69% of the 2,013 data breaches analyzed were perpetrated by outsiders, with organized crime rings accounting for 39% of breaches and state-sponsored entities accounting for 23%.
More than half of the breaches studied (52%) involved some form of hacking, while social attacks were employed in 33%. Malware, however, was only involved 28% of the time, while errors on the part of IT teams accounted for 21%.
For the first time, the annual Verizon report also includes data from the FBI Internet Crime Complaint Center (IC3), which estimates the median loss of a business email compromise to be about $8,000, while the median loss for a computer data breach is $25,000. Interestingly, the IC3 notes that only 9% of victims of these breaches could not recover money from the bank to which funds were transferred. Half of all business email compromise victims in the U.S. had 99% of the money recovered or frozen.
Gabriel Bassett, senior information security data scientist for the Verizon Security Research team at Verizon Enterprise Solutions, said the FBI data makes it clear that monetary damages from a breach are minimal compared to the total cost of a breach that, among other things, includes the process of notifying customers and the appropriate authorities.
In general, Bassett said most of the attacks being launched against companies would be classified as nuisance attacks. Fewer cybercriminals are employing advanced persistent threat (APT) malware because it’s complicated to build and deploy complex software. It’s much easier to look for a simple misconfiguration to exploit. Increasingly, cybercriminals are not even bothering to launch an actual attack—Bassett said they simply send an email to a senior executive that has the authority to spend up to $25,000, for example, to inform that person their systems are hacked. As it turns out, more than a few business executives decide to pay off the cybercriminals simply because they have no way to verify whether their IT environments have been compromised. Whether a report of that incident gets filed every time it occurs is anyone’s guess.
Bassett said the best course of action for most organizations is to concentrate their own limited resources on combating nuisance attacks that have short paths that are easily tracked, while relying on either external experts or, for example, a modern point-of-sale (PoS) system with built-in security services to combat complex malware attacks.
Organizations should also assume there is no such thing as a perfect business process, added Bassett. Each process needs to be designed with a graceful degradation of service that gets implemented automatically once a breach gets discovered, said Bassett.
Finally, Bassett noted that even a junkyard has a dog to guard it. Organizations should not assume that their data has no value, especially when that data can be used within the context of a spear-phishing campaign designed to trick users into giving up their credentials simply because the attackers knew something about them.
The challenge organizations face now, of course, is figuring out just how big a proverbial cybersecurity dog to get.