5 Top Takeaways from the Verizon Data Breach Investigations Report 2020

The latest Verizon Data Breach Investigations Report 2020 is now publicly available to download or read online.

As one of the industry’s top cyber security reports, the 13^th Edition of the Verizon Data Breach Investigations Report (VDBIR) is one of our leading indicators of what causes security incidents and why data breaches occur.  With researchers analyzing 157,525 incidents and 3,950 confirmed data breaches, the 2020 VDBIR report is the most concise and mature to date with a wider global view and more valuable detail.

While noting a sharp decline in security incidents (32,000), the report confirmed nearly 4,000 data breaches.  While the statistics presented in the VDBIR are always of interest to cyber security professionals, the report’s greatest value is that it helps us determine where we are failing to prevent cyber threats, and where we must focus our future efforts to improve security.

Here are my top five takeaways from the report this year, plus additional highlights.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Takeaway 1: Cyber criminals still use the most common techniques at the lowest cost

Cyber criminals are still successfully hacking into companies and governments around the world in fewer than four steps. They are very cost sensitive and use the most common and cheapest techniques to exploit our security.  Cyber criminals also prefer to use the stealthiest method: hiding within the network and living off the land by using the victim’s own solutions to conduct malicious activities.

• 45% of breaches featured hacking
• 8% of breaches were misuse by authorized users

Takeaway 2: Nearly half the breaches involved hacking

Learning how cyber criminals bypass security controls and gain access to systems containing sensitive information helps organizations understand how they might become a target.  At Thycotic, we continually remind organizations to educate their teams on the latest hacking practices so they may better understand what their risks are and how to mitigate them.

Most Common Breach Causes

• 45% of breaches involved hacking
• 22% caused by errors
• 22% included social attacks
• 17% involved malware

Email continues to be the top delivery method and office attachments, again the top payload with Web Applications, Desktops/Laptops and Email being the top target assets.

Cyber criminals target your personal data and credentials. Your email is essentially your digital identity, and once a criminal has access to your email they can steal your identity and become you. This allows them to abuse your corporate access and move laterally across your corporate networks looking for sensitive information that could make them money or provide some value that they can sell.

• Personal Data
• Credentials
• Alter Behavior

Takeaway 3: Human error and misconfigurations are on the rise

All too often it’s not a cyber criminal or advanced nation state actor but our own mistakes that lead to security incidents and data breaches. Human Error was the second most common cause, with misconfigurations topping the list of errors.

Balancing security with productivity is always a challenge.  However, the report indicates that too many cloud storage buckets are open and public. They contain sensitive data about customers and employees and are easy to download. Additionally, firewall misconfigurations make it easy for bad actors to remotely access the network at will.

“Complexity is one of the major causes of Human Error, we must Reject Complexity and focus on Usable Security” – Joseph Carson

The Verizon DBIR clearly indicates that cyber security is about finding the right balance between humans and technology.  Many incidents and breaches confirm that cyber criminals use hacking techniques that exploit vulnerabilities in both applications and humans.  Technology alone can’t protect your identity or sensitive data.

Cyber criminals and other threat actors target people, seeking ways to manipulate them into giving up sensitive information unknowingly. They do this because it’s the easiest way to get at valuable data using a technique known as social engineering.  Therefore, it’s not surprising that people are the weakest link in the cyber security chain, and yet also the best hope for preventing a cyber security disaster.

We must get the balance between people and technology right. There is much complexity in the cyber security industry and it’s crucial that we make it simpler and easier to use if we want people to adopt the technologies we offer.  The future of cyber security lies in making it as simple and usable as possible.

Keep in mind:

• Errors win the award for best supporting action
  A least privilege strategy everywhere should be a priority, with continuous testing and automation to minimize mistakes. 

• Security Researchers are your friends—they let you know when you’re a victim
  Most hackers are good people working to make the internet a safer place. However, the reputation of hackers is often maligned by malicious criminal hackers who abuse their skills. 

• You are most likely going to hear about your error from an external third party
  You should make it as easy as possible for third parties to notify you of security incidents and data breaches. 

• It’s better to admit mistakes—for everyone’s benefit
  Hiding or covering up a security incident or data breach only makes things worse.

Takeaway 4: Cloud applications highly vulnerable to credential theft

The DBIR report showed that the Cloud was involved in 24% of all reported breaches, with 70% on-premise.  However, 77% of those cloud breaches involved stolen and compromised credentials.

Cloud infrastructure and applications have significant benefits and may offer stronger security controls.  But far too much cloud access by remote users relies on a simple password as the only gate keeping cyber criminals out of our networks and away from sensitive data.

Stolen credentials resulting from brute force attacks against web applications is still a successful technique with attacks doubling according to this year’s report.  Organizations must consider implementing the principle of least privilege, not just for endpoints but for Cloud and SaaS applications as well.  A strong privileged access cloud security strategy and multifactor authentication should be a requirement for every company’s cloud security strategy.

Takeaway 5: Ransomware remains a chronic pain

The report shows a decline in malware. This is not surprising given that the latest ransomware techniques were not counted as malware. This is because ransomware is now stealing data prior to encrypting it and becoming more of a data disclosure issue.  Ransomware will be the biggest threat in the future, not only for companies and celebrities but also for governments.

Listen to the DRIB Podcast

Join Joseph Carson from Thycotic and Mike Gruen from Cybrary as they deep dive into Verizon’s 2020 Data Breach Investigations Report:

Here’s a review of additional report highlights

Everyone is a target; be prepared

Size doesn’t matter when it comes to cyber security incidents and data breaches—credentials are a top target no matter the size of the organization.  Everyone is a target, and anyone can become a victim with the simple click of an email link or the opening an attachment.

Chances are it’s only a matter of time before your organizations becomes a victim. Thus, it’s important to invest and prepare a solid cyber incident response plan and business continuity plan so that you can recover well and quickly.  Companies that have a solid incident response plan can reduce the costs of an incident by almost HALF.

More good news is that the dwell time with a breach is getting shorter by days. This is due in part to more companies using Managed Security Services Providers (MSSP).  The report shows that getting more experts involved in your infrastructure can lead to quicker detection of malicious attackers.

Data Breach Summary:

• 81% were contained in days or less
• 72% were large businesses
• 58% had personal data compromised
• 37% used stolen credentials
• 28% involved small businesses

Industries with Most Security Incidents: 

• Professional
• Public
• Information
• Finance
• Manufacturing
• Education
• Healthcare

Industries with Most Data Breaches:

• Healthcare
• Finance
• Manufacturing
• Information
• Public

Cyber-attacks dominated by external actors

Not all cyber-attacks are from advanced nation states or sophisticated hackers, even though media coverage seems to emphasize these types of threats.  Most cyber-attacks are surprisingly simple, and usually financially motivated. Cyber criminals’ nearly always choose the least noisy hacking technique with the lowest cost. Today this typically means targeting humans and taking advantage of their trusting nature.

Attributing attacks to specific actors is one the most difficult jobs in cyber security. Using misdirection and a lack of digital fingerprints can readily obscure the identification of attackers who are often located in another country and under different laws.  This is how the report categorizes bad actors responsible for breaches.

• 70% Breaches by External Actors
• 55% by Organized Crime
• 30% Involved Internal Actors

Follow the money to understand attacker motivation

Motivation is obviously key to understanding why cybertattacks happen. Most attackers are  financially motivated so following the money trail is part of any incident or breach investigation. If you cannot find a financial motive, then you follow the techniques used to determine who has the capabilities and if any similar techniques have been used previously.

Motivation for attacks:

1. 86% Financial
2. Secondary > 20%
3. Espionage

When we all work together the global community gains

It’s amazing to see the VDBIR report getting aligned with other top industry standards such as the Center for Internet Security (CIS) Critical Security Controls and the MITRE ATT&CK® framework. This not only improves the types of data collected for this report, it makes mapping them to appropriate controls much easier.

This report represents the hard work that CISOs and security professionals have been doing to safeguard our data assets from ever-growing and evolving cyber-attacks.  Even in the midst of a global pandemic, cyber criminals around the world have not lessened their attacks, so we must be ever vigilant.

Cyber awareness is working. And that means we must keep LEARNING

Success in cyber awareness and security culture indicates that users are clicking less on bad stuff. This indicates users are becoming more aware and suspicious.  The best way to create a security culture is to align security goals with the business goals and empower employees to not be afraid to ask for advice.

Rolling out a cyber mentor/ambassador program is a good way to connect security strategy and awareness within different organization departments.  Staff should be held accountable only when they are clearly informed of their responsibility and the risks of abusing them by not following process.  If it’s an accidental click on a link that infects a machine, then that’s difficult to view as inappropriate if clicking on stuff is part of the employees’ job.

A comprehensive cyber awareness training program helps an organization reduce the risk of easily becoming a victim of a cyber-attack.  The trend in the Verizon DBIR shows that employees are now less likely to click on a malicious email than in previous years and indicates that they are being more cautious about email threats.  We need to keep up the momentum and make employees one of our strongest defenses in our cyber security strategy, not one of our greatest weaknesses.

<< Download Thycotic’s award winning Cybersecurity for Dummies ebook to help in your continuous employee cyber awareness training.

Our cyber security community keeps getting stronger

This report demonstrates that when we align cyber security and business risk focusing on usable security, we can reduce the number of security incidents and data breaches.  It shows how we can all work together as a community and society to make security work.

I was happy to see the report align to the Center for Internet Security (CIS) Critical Security Controls Top 20 Security Controls as these will help companies provide a solid best practice for reducing security incidents.

CIS Top 20 Controls Summary:

Basic:

1. Inventory and control of hardware assets
2. Inventory and control of software assets
3. Continuous vulnerability management
4. Controlled use of administrator privileges
5. Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
6. Maintenance, monitoring and analysis of audit logs

Foundational:

7. Email and web browser protections
8. Malware defenses
9. Limitation and control of network ports, protocols and services
10. Data recovery capabilities
11. Secure configuration for network devices, such as firewalls, routers and switches
12. Boundary defense
13. Data protection
14. Controlled access based on the need to know
15. Wireless access control
16. Account monitoring and control

Organizational:

17. Implement a security awareness and training program
18. Application software security
19. Incident response and management
20. Penetration tests and red team exercises