Human Element Remains Biggest Threat: Verizon’s 2023 Data Breach Investigations Report

Even as the cumulative count of the number of breaches in Verizon’s database continues to rise sharply—as reflected in Verizon’s 2023 Data Breach Investigations Report—it is the human element that takes centrestage in the latest report.

Stolen credentials, phishing, and exploitation of vulnerabilities were found to be the three main ways cybercriminals get access to an enterprise. Human error continues to be an integral element whenever organisational security fails against data breaches. The human element features in 74% of all breaches, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering, the report showed.

The report also found that social engineering attacks—which involve the psychological compromise of people that forces them to take an action or breach confidentiality—are frequently very successful and extremely profitable for cybercriminals.

The report presents data from an analysis of 16,312 cybersecurity incidents, of which 5,199 were confirmed data breaches. The incidents described took place between Nov. 1, 2021, and Oct. 31, 2022.

Top 10 Insights

Below are the key insights from Verizon’s report:

1. Social Engineering Attacks Rising: The frequency of social engineering attacks is mounting. Within the social engineering pattern, the number of business email compromise attacks—basically pretexting attacks—has nearly doubled, and they account for more than 50% of cybersecurity incidents in the pattern. Over the past couple of years, the average amount stolen using such attacks has also risen to $50,000.

2. Pretexting More Prevalent Than Phishing: Phishing—such as a dubious attachment in an email or a malicious link with a password update request—makes up 44% of social engineering incidents. However, pretexting incidents—such as a friend soliciting money on social media or messages convincing you that a loved one is in danger—are now becoming more prevalent. Not only does this reflect the attackers’ enhanced abilities to breach data but also to invent a social scenario to play on emotions and create a sense of urgency as part of the attack.

3. External Actors Behind The Breaches: Threat actors can be classified into external (originating outside the organisation), internal (within the organisation) and partner (third-parties like vendors, suppliers, IT providers, etc). External actors were involved in 83% of breaches, while internal ones accounted for 19%. Organised crime leads as an external threat actor. The primary motivation for attacks continues to be financial in over 94% breaches.

4. Stolen Credentials Leads As Attack Vector: How do attackers gain access to an organisation? In 49% breaches, the use of stolen credentials was involved. Phishing was the next most used means of ingress in 12% cases. Exploitation of vulnerabilities rounded off the top three access points in 5% breaches.

5. Use Of Stolen Credentials Tops Threat Actions: First-stage or single-stage attacks—namely, use of stolen credentials for breaches and denial of service for incidents—led threat actions, which basically means the deeds of cybercriminals. The share of stolen credential use increased from 41.6% in the last report to 44.7% in the current one.

6. Ransomware Still A Major Threat: While it did not expand, ransomware accounted for almost a quarter of action types present in breaches—24%—and it was pervasive in businesses of all sizes and across all sectors. The most common vectors through which ransomware attacks occur are email, desktop sharing software and web applications, with email being one of the most convenient delivery mechanisms for malware.

7. Assets Affected Include People: Assets are entities that can be affected in an incident or breach. Considering that system intrusion, basic web application attacks and social engineering were the primary attack patterns, servers were affected the most and the share of user devices affected rose. However, people are assets too, and “person” as a category retained its second spot, representing the target—humans—of social threat actions.

8. Virtual Money Under Attack: Virtual currency by its very nature is a dangerous endeavour, and it is increasingly coming under the ambit of cyberattacks. This year, there was a fourfold increase in the number of breaches involving cryptocurrency as compared with last year. Exploiting vulnerabilities, use of stolen credentials, and phishing were the top action varieties in breaches which involved virtual currency.

9. Poor Password Quality Behind Web Application Attacks: Basic web application attacks represented around a quarter of the dataset. These tend to be largely driven by attacks against credentials, which are then used by attackers to access different resources. Unsecured passwords, which are both poorly chosen and protected, are still a common cause of breaches in this pattern.

10. Healthcare Under Siege: Ransomware gangs frequently target the healthcare sector, which causes both data breaches and the loss of access to their systems, possibly with life-threatening implications. In the last three years, there has been an increase in confirmed breaches in healthcare in which data is confirmed to have been stolen and encryption triggered. There were 525 incidents, 436 with confirmed data disclosure. Insider threat also looms in this industry.

How Can Enterprises Safeguard Data?

Given the length and breadth of the cyber threat landscape, organisations must look to implement varied safeguards at multiple touchpoints. These include device protection by securing the configuration of enterprise assets and software, email and web browser protection, malware defences, securing the infrastructure through continuous vulnerability management and establishing a data recovery process.

As can be said for most attacks, rapid detection and response is critical when responding to social engineering attacks. Since humans are the epicentre of most breaches, organisations must not only offer security awareness and skill training to employees—in helping them learn about best practices of data handling and causes of unintentional data exposure—but also train developers in application security concepts and secure coding.