Data protection has become a big issue internationally. The European Union’s General Data Protection Regulation (GDPR) was the first of several data privacy regulations to be passed in recent years. The GDPR made headlines since it significantly widened the set of data that can be considered Personally Identifiable Information (PII) (which is protected by the regulation) and dramatically increased the potential fines for failing to protect it.
Capped at 4% of a company’s global turnover or 20 million euros (whichever is more), any company handling data of EU citizens is very incentivized to protect it properly. Despite this, the instances of a data breach of sensitive data continues to climb. In 2018 alone, data breaches exposed 5 billion records containing people’s sensitive data. Many organizations are simply not ready to protect their sensitive data at the necessary levels, and hackers are more than willing to put in a little time and effort to take that data off their hands and make a tidy profit.
Verizon may be best known globally for their cell phone service; however, they are also well-known in the cybersecurity field for their Data Breach Investigations Report (DBIR). In this yearly report, Verizon takes advantage of their high amount of visibility into the cybersecurity threat landscape (both from internally-collected data and through data provided by a variety of different partnerships) to pull out overall cybersecurity trends for the year and make predictions about the future of cybersecurity. The 2019 copy of the report was recently published and provides a good snapshot of the state of the industry.
Major DBIR Takeaways
The Verizon DBIR contains a large amount of stats about the state of cybersecurity incidents and data breaches. However, every report has a few takeaways that stand out from the rest, and this year’s DBIR has several.
- Going After the Little Guy
Many small businesses’ cybersecurity strategies seem to be based on staying quiet and pretending that threats don’t exist. The average small business doesn’t have the budget for a full-fledged cybersecurity department, so they do what they can and hope that hackers won’t notice or try to breach them.
Unfortunately, this tactic doesn’t seem to be working out. A full 43% of attacks were against small businesses, meaning that attackers don’t seem to care so much about the size of the target as they do about ease of access.
It’s All About the Money
Threat actors attack businesses for a variety of different reasons; however, for some it’s literally their day job. Over a third of data breaches (39%) were perpetuated by organized crime. It’s not surprising then, that money was the cause of 71% of all breaches. All businesses are out to make a profit, hackers have just found that their talents and inclinations lie more in stealing and selling data than traditional career paths.
· Trying to Get In
Most organizations have perimeter-focused defenses. The entire point of these defenses is to draw a line between the trusted “inside” and the untrusted “outside” and to make sure that all of the bad guys stay on the right side of the line.
This sort of strategy is not ideal since it completely ignores the potential of an insider threat like a disgruntled employee or a hacker posing as a janitor. However, the data seems to suggest that the vast majority of (successful) data breaches are in fact performed by outsiders at 69%. But that doesn’t mean that you can just ignore the threat represented by people on the inside. They’re involved in over a third (34%) of data breaches. Defense-in-depth and user behavioral modeling is always a good idea when you’re dealing with potentially sensitive data.
You Are the Weakest Link
Hacking has become a business, and efficiency is important in business. If you can achieve the same goal two different ways, it’s almost always better to take the easier and more cost effective one. Hackers have really taken this fact to heart. Advances in cybersecurity technology have made it harder and harder to identify and exploit software vulnerabilities. However, humans make more than enough mistakes to make up for it. As a result, human-related causes of breaches like social engineering and human error have grown over the DBIR study period (which compares 2018 to 2013).
Takedown and Phishing
With social engineering taking an increasing role in causing incidents, it’s not surprising that its most popular form, phishing, leads the pack as the most common threat action performed as part of a data breach. However, the same is not true for cybersecurity incidents (where the attacker gets in but might not be stealing anything). Over half of incidents involve a Denial of Service attack, making it even more apparent that organizations need to deploy a strong anti-DoS solution to protect their public web presence.
The Future of Cyber
Data breaches happen, and they’re likely to continue to happen. Humans make mistakes, whether they’re programming errors, failing to deploy appropriate cybersecurity defenses, or falling for a social engineering attack, and hackers are always willing to take advantage of these mistakes.
However, just because attacks happen doesn’t mean that nothing can be done. Reports like Verizon’s DBIR provide useful intelligence about trends in the industry and how organizations can take steps to better protect themselves. Even a cursory read of this year’s report demonstrates the importance of deploying a good data security and anti-DoS solution in order to protect against some of the most common attacks seen in the industry.