Verizon has today published its yearly report on business data breach investigations. Key stats included:
- 86 percent of data breaches for financial gain – up from 71 percent in 2019
- Cloud-based data under attack – web application attacks double to 43 percent
- 67 percent of breaches caused by credential theft, errors and social attacks
- Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime
- On-going patching successful – fewer than 1 in 20 breaches exploit vulnerabilities
- Report analyzes 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries
Verizon @VerizonBusiness releases 2020 Data Breach Investigations Report #DBIR, just posted at midnight ET: https://t.co/WbPL4VouXh
— Christian Beckner (@cjbeckner) May 19, 2020
While it’s a positive shift to see this year’s Verizon Data Breach Investigations Report (DBIR) reflect the security challenges of small businesses, there is much more work to be done to extrapolate major trends from more comprehensive SMB data. From our work with managed service providers (MSPs) who provide outsourced IT to hundreds of thousands of SMBs, we know that only 407 incidents in one year is startlingly low. In fact, in just the last week, we were informed of a single network attack on an MSP that compromised 15 different SMBs alone.
What’s also interesting is that the last year the DBIR report focused on small business trends was 2013 — the same year the Edward Snowden revelations came out. Since then, hacking has become more mainstream and enterprises have begun to take security more seriously. However, SMBs have not made similar strides in their security posture, which is alarming considering the growing threat of criminal marketplaces targeting these businesses.
Similarly, with espionage accounting for 8% of small business motives versus 14% for large enterprises, our experience suggests that these attacks are likely against defense contractors, of which many fall under the 1,000 employee threshold. In fact, the latest Cybersecurity Maturity Model Certification (CMMC) requirements released earlier this year further underscore this persistent issue. We have reviewed evidence of nation state actors leveraging MSPs to swim upstream in order to gain access into well-established defense contractors to obtain federal data.
According to the DBIR report, brute force attacks account for approximately 8 percent of top breach types within large enterprises, while making up 34 percent for small businesses. We have also seen brute force attacks plague hundreds of businesses by reusing usernames and passwords disclosed in unrelated breaches in an attempt to hack into a system. Although this attack method has been around for quite some time, its effectiveness is higher with smaller businesses because of the prevalence of misconfigured security policies and low adoption of multi-factor authentication, a symptom of an even bigger problem — a shortage of cybersecurity talent.
However, we know firsthand these types of attacks are even more prevalent within SMBs than the DBIR indicates. For example, adopting and enforcing a least privilege policy among SMBs is one of the largest challenges as they try to balance productivity with security while growing their business. This creates ripe environments for privilege escalation and lateral movement within the network that leads to capturing stored data or credential theft.
There is also a common misconception that enterprises need to be most wary of phishing attacks. This often holds true for larger enterprises that have stronger security configurations, prompting hackers to resort to phishing knowing that humans tend to be the weakest link. However, the same cannot be said for SMBs. We generally see a wider distribution of attacks within SMBs because there are more low-hanging attack surfaces and weaker links to target, such as misconfigured or unpatched systems. With the growing target on SMBs’ backs, it is more important than ever to employ an MSP to protect company data and assets.
Web applications are a growing focus point for cyber criminals. Motivated by financial outcomes, they understand the value of the information exchanged and stored in web applications. The 2020 Verizon Data Breach Investigations Report (DBIR) confirms that this is the case: 43% of data breaches are tied to web application vulnerabilities—which more than doubled year over year. Legacy, outside-in DevOps security is failing, and a new approach is needed that takes an inside-out approach.
The findings from the Verizon report demonstrate that, as an industry, we are spending more time reacting to threats rather than proactively taking steps to ensure assets are secure before they go to market. This is why it’s crucial to think about security as early as when developers are actually coding applications. The technology to provide Code Security feedback throughout software development workflows exists, and not only will it help organizations prevent future incidents, it will also grow their development team in caring about the security of their product. Developers get to learn and leverage secure coding practices, resulting in more secure applications delivered to end-users. This type of technology can already identify and eliminate the most commonly exploited web app vulnerabilities, according to Verizon’s report–SQL injection and PHP injection vulnerabilities.
No matter what the industry does, attackers seem to be able to stay one step ahead. Attackers appear to be utilizing the same methods with a varying mix depending on what defenses are on in place. One thing that is clear is that the industry has not solved the phishing problem, as it remains the top attack vector. It seems that no amount of AI or detection algorithms are able to combat a well-written email that is delivered to a user on a topic that is of interest.
With the current remote worker situation and ever expanding use of SaaS and mobile devices, the attack surface continues to expand, and this makes it increasingly difficult to stem the tide of breaches. We predict that the scale of breaches will only increase in 2020 as attackers take advantage of this situation. It’s likely to be one of the worst years we have seen in a long time.
37% of breaches stole or used credentials highlights the need for businesses and organizations to provide their end-users with a secure mechanism for accessing systems and data that doesn\’t rely on passwords alone. With more and more of our lives becoming digital, securing and protecting are digital identity and lives will come more into focus. Businesses and organizations who demonstrate good security practices to it end-users will remain distinct advantage. Secure access control to data and systems is a fundamental to building this end-user trust.