Verizon recently released its 2022 Data Breach Investigations Report, giving businesses vital insights into the state of cybersecurity around the world. It contains an analysis of over 23,000 incidents and 5,200 confirmed breaches, analysed over the past. Overall, Verizon attributes the number-one motive of cyberattacks to financial gain, saying almost four out of five breaches were attributable to organised crime seeking to extort businesses of hefty ransomware sums, backed by insurance pay-out.
In the report, Verizon estimates that there has been a 13% increase in ransomware breaches – this is more than in the last 5 years combined. Additionally, 82% of cyber breaches involved a human element, namely through stolen credentials, phishing, misuse or simply an error.
Verizon states that people continue to play a very large role in incidents and breaches alike. This year 18% of clicked phishing emails are also said to come directly from a mobile phone, highlighting it as a weakness for business security. Verizon argues that their statistics highlight the importance of having a strong security awareness program.
Julia O’Toole, Founder and CEO of MyCena Security Solutions, believes that this report outlines the desperate need for private businesses and public organisations to change their cybersecurity approach. Improving security awareness is good, but directly addressing a problem which has persisted uncontested for nearly two decades is better.
“For 15 years, the vast majority of cyber-attacks and network breaches have happened through credential-based logins. Credentials, specifically their theft and misuse, have long been the elephant in the room, causing over 80% of breaches year after year. Yet for all this time, the cybersecurity industry has not fixed the root cause of the problem. Instead, efforts and investments in cybersecurity only focused on the remaining 1/5 of breaches – from infrastructure and software vulnerabilities – most of which remain undetected.
In the meantime, organizations have continued to blame their employees for poor password hygiene or failing phishing attacks. Placing the main cybersecurity problem on employees’ shoulders also had the pernicious effect of companies making hazardous decisions. For example, organizations that converted to single access to make user login easier had mechanically knocked down obstacles for criminals and reduced their cyber resilience. They in effect created a golden path for criminals to access, scan and find privileged access or “main switch” to lock the entire network, which in turn accelerated their workflow and reduced by 94.34% the time between initial access to ransomware from more than 2 months to 3.85 days between 2019 and 2021.
“Investing billions of dollars in cybersecurity may have had the reverse effect on organisations’ cyber-resilience, as they took down layers of security for users’ convenience. This could explain why Verizon’s report shows organisations are now less safe than 15 years ago. In the same vein, US National Cyber Director Chris Inglis recently asked the administration and federal agencies to ‘transform the way they approach and invest in cybersecurity’, as previous efforts have clearly ‘not worked’.”
O’Toole believes that businesses are not to blame when it comes to these issues, although it is their responsibility to educate themselves and start addressing this root issue as soon as possible. “Most companies let their employees control the access credentials to their infrastructure and assets. That is essentially giving up control of access from day one. When someone else controls your company’s digital keys, you are no longer in charge of what happens to them – whether they are weak, reused, shared, sold, phished – and blinded from both external and internal threats across the entire surface of your organisation. From a legal standpoint, companies may have also put themselves in breach of data privacy laws such as GPDR, HIPAA, CCPA or LGDP, since not having control, possession and custody of the access keys to your data means not having control, possession and custody of the data itself. Reclaiming credentials ownership, therefore, is essential and should be a priority.”
“In the absence of physical obstacles to credentials theft, the most effective measure to address and secure that 82% is to use end-to-end encrypted credentials, from creation, distribution, storage, use, to expiry. Companies simply encrypt and distribute access credentials to all systems to their users inside a secure place only each user can access. Because you cannot give information you don’t have, as long as people use credentials without seeing or knowing them, organisations stay in control of their access.”
“Encrypting access also gives back to organisations the control and responsibility for their cybersecurity, which no longer rests on the employees’ shoulders. By re-enabling network access segmentation, companies are also able to improve their overall cyber-resilience and limit the impact of any breach”
“Since the first Verizon report, organisations have been doing the same thing and hoping for a different result. Fifteen years on, it is time for them to fix those credentials-based breaches once and for all.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.