Human error continues to be a leading factor in data breaches, according to Verizon’s annual analysis of cyberattacks around the world.
That was one of the conclusions of the 2022 Verizon Data Breach Investigations Report, which looked at 23,896 incidents last year, 5,212 of which were confirmed breaches. The data came from 87 cybersecurity vendors, researchers and consultants.
Eighty-two per cent of breaches in 2021 involved the human element, the authors found. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” the report says.
Mistakes alone were responsible for 14 per cent of breaches. “This finding is heavily influenced by misconfigured cloud storage,” the report adds. It doesn’t say explicitly, but this category would include misconfigured Amazon storage buckets.
Among the highlights (or lowlights, depending on your point of view):
- ransomware has continued its upward trend, making up 25 per cent of breaches, an almost 13 per cent rise over 2022. That’s a rise as big as the past five years combined, the report says.”It’s important to remember that, while ubiquitous and devastating, ransomware by itself is, at its core, a model of monetizing an organization’s access,” the report adds. Blocking the abuse of credentials (stolen or brute-forced), keeping employees from falling for phishing, keeping attackers from exploiting vulnerabilities and blocking botnets are the best ways to thwart ransomware;
- roughly 4 in 5 breaches can be attributed to organized crime, with external actors approximately four times more likely to cause breaches in an organization than insiders;
- supply chain attacks were involved in 61 per cent of incidents last year. “Compromising the right partner is a force multiplier for threat actors,” the report noted. One of the best-known supply chain attack in 2021 was the compromise of Kaseya’s VSA platform;
- system intrusion was the leading cause of 1,638 breaches with confirmed data disclosure in Canada and the U.S.. That was followed by social engineering, and basic web application attacks. And globally, 62 percent of system intrusion incidents came through an organization’s partners;
What should CISOs be doing? Of the Center for Internet Security’s 18 Critical Security Controls, emphasize these five, says the report:
- Data Protection. This control pertains to the processes and technical controls to identify, classify and securely handle organizational data in all its form. This control helps prevent organizations from accidentally exposing their data through email or misconfigurations;
- Secure Configuration of Enterprise Assets and Software. This control contains safeguards focused on engineering solutions that are secure from the outset, as opposed to tacking them on later. It offers substantial benefits when it comes to reducing error-based breaches such as misconfiguration and loss of assets by enforcing remote wiping abilities on portable devices;
- Account Management. This control is very much targeted toward helping organizations manage the access to accounts and is useful against brute force and credential stuffing attacks;
- Access Control Management. This Control manages the rights and privileges of users and enforces multifactor authentication on key components of the environment, an important defense against the use of stolen credentials;
- Security Awareness and Skills Training. Considering the prevalence of errors and social engineering in the data, the report’s authors say it is clear that security awareness and technical training are a great place to put some dollars in order to help support your team against a world full of cognitive hazards.