Verizon Data Breach Investigations Report: Money Is Top Motivator

Cold, hard cash is what matters most to cybercriminals, according to the latest Verizon Business Data Breach Investigations Report (DBIR).

The 13th annual data breach investigations report analyzed 32,002 security incidents. Of those, the carrier confirmed 3,950 were breaches. Verizon analyzed just half that many – 2,013 – in last year’s report.

This year’s Verizon DBIR found credential theft and social attacks such as phishing and business email compromises at the heart of most breaches.

These cases came from 81 global contributors from 81 countries.

“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, Verizon Business‘ CEO. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”

Money motivated criminals in nearly nine of the 10 breaches. In addition, external actors continue to cause the vast majority of breaches. Organized crime accounts for 55% of these.

Credential theft and social attacks such as phishing and business email compromises (BEC) are at the heart of most breaches. Specifically, more than one third (37%) of credential theft breaches used stolen or weak credentials. One in four (25%) involved phishing, and human error accounted for more than one in five (22%).

New Surprises

Gabriel Bassett is a data scientist at Verizon and DBIR co-author. He said there are two surprises in the latest data breach investigations report.

Verizon’s Gabriel Bassett

“First, web applications doubling in breaches sets an ominous tone for the 2021 DBIR,” he said. “This is heavily tied to the use of stolen credentials. For organizations that have transitioned to supporting a remote workforce using web services, this won’t be as much of an issue. But for organizations just now making that transition, this may be a challenge. The attackers are already there waiting for them.”

The second surprise is the increase in errors overtaking malware as a cause of breaches, Bassett said.

“It was driven by an increase in discovery of cloud storage (both file storage and databases) that were shared publicly but contained private information,” he said. “On the other hand, while some malware (such as ransomware and password dumpers) increased, common types of malware we traditionally think of (for example, trojans) dropped precipitously. I think this change points to progress in security, but also suggests that organizations need to refocus some of their defensive resources on improving processes to avoid and mitigate errors rather than worrying about the latest malware threat.”

Four in five (80%) web application breaches involved stolen credentials. That’s a worrisome trend as business-critical workflows continue to move to the cloud.

Ransomware also saw a slight increase, found in 27% of malware incidents. That’s up from 24% in the 2019 DBIR. More than one in six (18%) organizations reported blocking at least one piece of ransomware last year.

“I think the first thing to take away is that many of the things we do in security work and work well, so we need to ensure that these strategies continue to be used,” Bassett said. “Firewalls, antivirus, web and email proxies, patching and vulnerability scanning are all helping us stay secure.”

Opportunities for Cybersecurity Providers

Still, there are opportunities, he said. Phishing and credentials are still the top actions, he said.

“While we know what to do about these, many organizations need help implementing them — whether it’s two-factor authentication, phishing response or transition to email solutions with robust phishing protections,” Bassett said. “There are also up-and-coming opportunities such as better asset management or process improvement (long applied to manufacturing) to prevent errors leading to breaches. I also believe thinking in terms of paths offers a huge array of opportunities to reimagine how we accomplish security tasks.”

Every organization, large or small, needs security operations, he said.

“While large organizations may be able to maintain a security operations center (SOC), small and medium organizations need to …