Last week saw the release of Verizon’s Data Breaches Investigation Report 2022: 90 pages, plus appendices. I thought I’d summarise it, by way of public service, because (a) I kind of have to read it anyway, and (b) I think it contains a number of useful messages which SWCRC members ought to have ready access to. The report is drawn from data provided by around 90 different companies, incorporating almost 1 million incidents, and 250,000 breaches; and it covers a year’s worth of data up to Nov ’21. As such, it’s probably about the best analysis available of trends in cybersecurity. You can access a full copy of the report here.
So, what drew my eye?
The first thing was the relative infrequency of insider breaches, which make up only 18% of reported cases – although when they do occur, then tend to be more impactive. Most breaches were from outside sources, and the proportion may surprise some: but I particularly noticed the frequency and impact of breaches originating from partners. As the report puts it, privileged parties are able to do more damage. (Which is exactly why SWCRC is seeking to help big companies with the cyber awareness of their smaller collaborators).
I was also struck by ‘why’ organisations are attacked. ‘For money’ sounds like an obvious answer, and is indeed the vast majority: but I would have anticipated far more than around 10% to be about espionage, to say nothing of the tiny proportion motivated by grudge or ideology. Part of me wonders whether that is about financial attackers actually having to show their hand, whilst others may lie dormant. I was struck at a recent ransomware event by delegates asserting how often, when they’re called in to correct a breach, they find other threat actors already operating inside the systems.
In terms of ‘how’ you’re liable to be attacked, “the main ways in which your business is exposed to the internet are the main ways that your business is exposed to the bad guys” (p15). Specifically, that’s web applications and email, followed by carelessness (misconfigurations) and desktop sharing software. Viewed through a different lens, ‘hacking’ is the ‘how’ responsible for around half of breaches, ‘malware’ for around 40%, and ‘social’ around 20%, recognising of course that attacks can have multiple causes. All sound complicated, but mitigation begins with the basics.
First up, prompt updates. The exploitation of vulnerabilities occurs in around 7% of cases, and the report suggests that this can frequently be attributed to organisations not fixing known issues quickly enough. Criminals can try an endless number of doors, and they only need to find a few unlocked. The next basics to address are limiting the use of company assets (eg through whitelisting of applications), and educating your people. They’re your second-most targeted asset, at around 25% of breaches. I’m regularly frustrated by the low figures which businesses evidence for staff training, as they settle instead for a quick round of internal phishing tests. Surely this is – yet again – a strong argument for investing in your people, in a way which benefits them outside the workplace too? Throughout the document, credential stealing keeps coming up… as an initial goal, but more importantly a step on the path to bypassing an organisation’s defences. With ransomware on the rise to the largest extent ever, this does reiterate the training message. It’s interesting to see a huge shift here: six years ago, over half of web application breaches were caused by vulnerabilities, and just over a quarter used stolen credentials. Now, it’s under 25%, and around three quarters, respectively.
And, justifying a paragraph on its own: 82% of breaches have a human element at their core. 82%.
Inevitably, in a big organisation, the law of averages suggests that someone will always click somewhere they shouldn’t, particularly if there’s a strong social engineering approach. The report suggests a 2.9% click rate. So the 82% statistic doesn’t imply in any way that cybersecurity products aren’t an essential part of the overall approach. But for the smaller businesses that don’t access such products, the 82% statistic does suggest a good starting point for their security efforts. If there are only five of you in the organisation, the odds of your collective not clicking are far higher, and are bolstered if you know what to look out for. Which is one reason why (forgive the plug) we put a comprehensive threat assessment together for these businesses every month.
I also picked up on pp45 onwards, regarding the threat posed by mobile data. Over the last year, we’ve increasingly seen Android (in particular) being mentioned as a potential attack vector. The DBIR suggests that only 42% of devices avoided blocking access to any URL, while 84% of devices avoided an unwanted app. As the authors point out, if you reverse the figures, that suggests that 58% of devices had the potential to click a malicious URL and 16% of devices had at least one malware or riskware app installed. The argument for considering mobile devices as part of an overall cybersecurity effort won’t be news to a larger organisation. But it’s probably time for smaller players to sit up and pay attention too.
And a concluding thought. We spend a lot of time in the national cyber resilience centre network in pushing the same core messages out. Invariably, they’re drawn from the straightforward guidance developed by the UK’s National Cyber Security Centre. It’s reassuring to see that same guidance strongly echoed by the report here, with their top ten recommendations listed below… in a broadly similar priority order that I might have guessed at the outset. Based on this extensive analysis of a year of breaches and incidents, getting safer continues to be a question of doing the basics first.
Of course, I’d probably insert one further item at the outset. If you’re in the UK, link in with your local police-led cyber resilience centre. We’ll guide you through most of this for free, we’ll update you regularly, and if you’re a bigger business we’ll happily look after your supply chain. If you already did that, congratulations: now check through the list below and re-confirm you’ve put everything in place.
1. Use two-factor authentication 2. Do not reuse or share passwords 3. Use a password keeper/generator app 4. Be sure to change the default credentials of the Point of Sale (PoS) controller or other hardware/software 5. Ensure that you install software updates promptly so that vulnerabilities can be patched 6. Work with your vendors to be sure that you are as secure as you can be, and that they are following these same basic guidelines 7. Keep a consistent schedule with regard to backups and be sure to maintain offline backups—meaning that they are not on a device connected to a computer 8. Ensure that the built-in firewall is switched on for user devices such as laptops and desktops (“on” may not be the default) 9. Use antivirus software, for all your devices. Smart phones, tablets and credit card swipers are just as important as laptops and computers. It won’t catch everything, but it will help 10. Do not click on anything in an unsolicited email or text message
Join us at www.swcrc.co.uk for free core membership and regular updates on cyber threats.