5 top takeaways from the Verizon Data Breach Investigations Report 2020
As one of the industry’s top cybersecurity reports, the 13th Edition of the Verizon Data Breach Investigations Report (DBIR) is one of our leading indicators of what causes security incidents and why data breaches occur. With researchers analyzing 157,525 incidents and 3,950 confirmed data breaches, the 2020 DBIR report is the most concise and mature to date with a wider global view and more valuable detail.
While noting a sharp decline in security incidents (32,000), the report confirmed nearly 4,000 data breaches. While the statistics presented in the DBIR are always of interest to cybersecurity professionals, the report’s greatest value is that it helps us determine where we are failing to prevent cyber threats, and where we must focus our future efforts to improve security.
Here are my top five takeaways from the report this year, plus additional highlights.
Takeaway 1: Cyber criminals still use the most common techniques at the lowest cost
Cybercriminals are still successfully hacking into companies and governments around the world in fewer than four steps. They are very cost-sensitive and use the most common and cheapest techniques to exploit our security. Cyber criminals also prefer to use the stealthiest method: hiding within the network and living off the land by using the victim’s own solutions to conduct malicious activities.
- 45% of breaches featured hacking
- 8% of breaches were misused by authorized users
Takeaway 2: Nearly half the breaches involved hacking
Learning how cyber criminals bypass security controls and gain access to systems containing sensitive information helps organizations understand how they might become a target. At Delinea, we continually remind organizations to educate their teams on the latest hacking practices so they may better understand what their risks are and how to mitigate them.
Most Common Breach Causes
- 45% of breaches involved hacking
- 22% caused by errors
- 22% included social attacks
- 17% involved malware
Email continues to be the top delivery method and office attachments, again the top payload with Web Applications, Desktops/Laptops, and Email being the top target assets.
Cyber criminals target your personal data and credentials. Your email is essentially your digital identity, and once a criminal has access to your email they can steal your identity and become you. This allows them to abuse your corporate access and move laterally across your corporate networks looking for sensitive information that could make them money or provide some value that they can sell.
- Personal Data
- Alter Behavior
Takeaway 3: Human error and misconfigurations are on the rise
All too often it’s not a cyber criminal or advanced nation-state actor but our own mistakes that lead to security incidents and data breaches. Human Error was the second most common cause, with misconfigurations topping the list of errors.
Balancing security with productivity is always a challenge. However, the report indicates that too many cloud storage buckets are open and public. They contain sensitive data about customers and employees and are easy to download. Additionally, firewall misconfigurations make it easy for bad actors to remotely access the network at will.
“Complexity is one of the major causes of Human Error; we must Reject Complexity and focus on Usable Security” – Joseph Carson
The Verizon DBIR clearly indicates that cybersecurity is about finding the right balance between humans and technology. Many incidents and breaches confirm that cyber criminals use hacking techniques that exploit vulnerabilities in both applications and humans. Technology alone can’t protect your identity or sensitive data.
Cyber criminals and other threat actors target people, seeking ways to manipulate them into giving up sensitive information unknowingly. They do this because it’s the easiest way to get at valuable data using a technique known as social engineering. Therefore, it’s not surprising that people are the weakest link in the cybersecurity chain, and yet also the best hope for preventing a cybersecurity disaster.
We must get the balance between people and technology right. There is much complexity in the cybersecurity industry and it’s crucial that we make it simpler and easier to use if we want people to adopt the technologies we offer. The future of cybersecurity lies in making it as simple and usable as possible.
Keep in mind:
- Errors win the award for best-supporting action
A least privilege strategy everywhere should be a priority, with continuous testing and automation to minimize mistakes.
- Security Researchers are your friends—they let you know when you’re a victim
Most cyber criminals are good people working to make the internet a safer place. However, the reputation of cyber criminals is often maligned by malicious criminal cyber criminals who abuse their skills.
- You are most likely going to hear about your error from an external third party
You should make it as easy as possible for third parties to notify you of security incidents and data breaches.
- It’s better to admit mistakes—for everyone’s benefit
Hiding or covering up a security incident or data breach only makes things worse.
Takeaway 4: Cloud applications highly vulnerable to credential theft
The DBIR report showed that the cloud was involved in 24% of all reported breaches, with 70% on-premise. However, 77% of those cloud breaches involved stolen and compromised credentials.
Cloud infrastructure and applications have significant benefits and may offer stronger security controls. But far too much cloud access by remote users relies on a simple password as the only gatekeeping cyber criminals out of our networks and away from sensitive data.
Stolen credentials resulting from brute-force attacks against web applications are still a successful technique with attacks doubling according to this year’s report. Organizations must consider implementing the principle of least privilege, not just for endpoints but for cloud and SaaS applications as well. A strong privileged access cloud security strategy and multifactor authentication should be a requirement for every company’s cloud security strategy.
Takeaway 5: Ransomware remains a chronic pain
The report shows a decline in malware. This is not surprising given that the latest ransomware techniques were not counted as malware. This is because ransomware is now stealing data prior to encrypting it and becoming more of a data disclosure issue. Ransomware will be the biggest threat in the future, not only for companies and celebrities but also for governments.
Listen to the DBIR Podcast
Join Joseph Carson from Delinea and Mike Gruen from Cybrary as they deep dive into Verizon’s 2020 Data Breach Investigations Report:
Here’s a review of additional report highlights
Everyone is a target; be prepared
Size doesn’t matter when it comes to cybersecurity incidents and data breaches—credentials are a top target no matter the size of the organization. Everyone is a target, and anyone can become a victim with the simple click of an email link or the opening of an attachment.
Chances are it’s only a matter of time before your organization becomes a victim. Thus, it’s important to invest and prepare a solid cyber incident response plan and business continuity plan so that you can recover well and quickly. Companies that have a solid incident response plan can reduce the costs of an incident by almost HALF.
More good news is that the dwell time with a breach is getting shorter by days. This is due in part to more companies using Managed Security Services Providers (MSSP). The report shows that getting more experts involved in your infrastructure can lead to quicker detection of malicious attackers.
Data Breach Summary:
- 81% were contained in days or less
- 72% were large businesses
- 58% had personal data compromised
- 37% used stolen credentials
- 28% involved small businesses
Industries with Most Security Incidents:
Industries with Most Data Breaches:
Cyberattacks dominated by external actors
Not all cyberattacks are from advanced nation-states or sophisticated cyber criminals, even though media coverage seems to emphasize these types of threats. Most cyberattacks are surprisingly simple, and usually financially motivated. Cyber criminals nearly always choose the least noisy hacking technique with the lowest cost. Today this typically means targeting humans and taking advantage of their trusting nature.
Attributing attacks to specific actors is one of the most difficult jobs in cybersecurity. Using misdirection and a lack of digital fingerprints can readily obscure the identification of attackers who are often located in another country and under different laws. This is how the report categorizes bad actors responsible for breaches.
- 70% Breaches by External Actors
- 55% by Organized Crime
- 30% Involved Internal Actors
Follow the money to understand attacker motivation
Motivation is obviously key to understanding why cyberattacks happen. Most attackers are financially motivated so following the money trail is part of any incident or breach investigation. If you cannot find a financial motive, then you follow the techniques used to determine who has the capabilities and if any similar techniques have been used previously.
Motivation for attacks:
- 86% Financial
- Secondary > 20%
When we all work together the global community gains
It’s amazing to see the DBIR report getting aligned with other top industry standards such as the Center for Internet Security (CIS) Critical Security Controls and the MITRE ATT&CK® framework. This not only improves the types of data collected for this report but also makes mapping them to appropriate controls much easier.
This report represents the hard work that CISOs and security professionals have been doing to safeguard our data assets from ever-growing and evolving cyberattacks. Even in the midst of a global pandemic, cyber criminals around the world have not lessened their attacks, so we must be ever vigilant.
Cyber awareness is working. And that means we must keep LEARNING
Success in cyber awareness and security culture indicates that users are clicking less on the bad stuff. This indicates users are becoming more aware and suspicious. The best way to create a security culture is to align security goals with the business goals and empower employees to not be afraid to ask for advice.
Rolling out a cyber mentor/ambassador program is a good way to connect security strategy and awareness within different organization departments. Staff should be held accountable only when they are clearly informed of their responsibility and the risks of abusing them by not following the process. If it’s an accidental click on a link that infects a machine, then that’s difficult to view as inappropriate if clicking on stuff is part of the employees’ job.
A comprehensive cyber awareness training program helps an organization reduce the risk of easily becoming a victim of a cyberattack. The trend in the Verizon DBIR shows that employees are now less likely to click on a malicious email than in previous years and indicates that they are being more cautious about email threats. We need to keep up the momentum and make employees one of the strongest defenses in our cybersecurity strategy, not one of our greatest weaknesses.
Our cybersecurity community keeps getting stronger
This report demonstrates that when we align cybersecurity and business risk focusing on usable security, we can reduce the number of security incidents and data breaches. It shows how we can all work together as a community and society to make security work.
I was happy to see the report align with the Center for Internet Security (CIS) Critical Security Controls Top 20 Security Controls as these will help companies provide a solid best practice for reducing security incidents.
CIS Top 20 Controls Summary:
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrator privileges
- Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
- Maintenance, monitoring, and analysis of audit logs
- Email and web browser protection
- Malware defenses
- Limitation and control of network ports, protocols, and services
- Data recovery capabilities
- Secure configuration for network devices, such as firewalls, routers, and switches
- Boundary defense
- Data protection
- Controlled access based on the need to know
- Wireless access control
- Account monitoring and control
- Implement a security awareness and training program
- Application software security
- Incident response and management
- Penetration tests and red team exercises
Thanks to the Verizon DBIR team and supporting companies
The 2020 DBIR report should be recognized as an InfoSec success and a confirmation that cybersecurity is increasing in priority for many organizations around the world. I do wish the report included more success or positive news in contrast to the usual doom and gloom.
However, I found the results of this report very positive and tried to find a way to pat myself on the shoulder, as should other security professionals around the world.