Verizon 2021 Data Breach Investigations Report Highlights Top Data Breaches for 2020

As one of the most widely read annual cybersecurity reports, the Verizon Data Breach Investigation Report (DBIR) offers interesting insights into cybercrime. The 2021 report analyzed nearly 30,000 incidents across nearly 90 countries that resulted in more than 5,000 confirmed data breaches during 2020.

In this year’s report, we see a slight increase in breaches tied to external actors and a corresponding decrease in breaches tied to internal actors. Following patterns consistent with past years, the main motivation of actors, internal and external, continues to be financial gain with espionage and other motives making up less than 10% of the breaches. 

One of the interesting insights is the analysis of the top attack actions, both for incidents and confirmed breaches. With denial of service (DoS) via hacking at the top, these four attack actions account for about 80% of all incidents:

• 60% – DoS (Hacking)
• 10% – Phishing (Social)
• 5% – Ransomware (Malware)
• 5% – DoS (Malware)

For actions leading to confirmed breaches, however, phishing tops the list, with the top four attack actions leading to confirmed breaches accounting for around 70% of all breaches:

• 35% – Phishing (Social)
• 25% – Use of stolen credentials (Hacking)
• 7% – Ransomware (Malware)
• 3% – Pretexting (Social)

Knowing the top four attack actions for incidents and breaches is interesting, but looking at the success rates of specific attack actions turning into breaches sheds light on two attack vectors that result in a significant number of breaches:

• Phishing accounted for 10% of the incidents reported, but over 35% of the breaches; and
• Use of stolen credentials accounted for less than 5% of incidents but close to 25% of the reported breaches.

Based on these reported trends, organizations should focus more efforts on preventing phishing attempts through increased employee awareness and take additional steps, such as the use of multi-factor authentication, to lower the likelihood of stole credentials leading a data breach.

Headline-grabbing ransomware attacks accounted for about 5% of the incidents and less than 10% of the breaches in 2020. On the surface, these lower percentages do not point to being the lead story about data breaches, but the actual and potential impact of the breaches have shown to be worthy of high levels of media attention and security professionals in recent months. While 90% of the reported ransomware incidents resulted in no financial loss, organizations should still take steps, such as having well-tested backup and recovery procedures, to respond to ransomware attacks.

Turning to what is being attacked, servers (web applications, mail servers, databases and file servers) continue to be the main target, with more than 80% of incidents involving servers. In 2020, persons overtook user devices as the second most frequent target in incidents. This indicates a decline in attackers focusing in on compromising laptops. The new focus is on compromising the user and more specifically the user’s credentials.

As internet-facing servers continue to be the favorite target for attacks, the vulnerabilities being exploited continue to be older. In an analysis of 85 organizations,

•  20% had vulnerabilities in their environments dating back to 2010 and,
• 15% of the organization’s oldest vulnerabilities surfaced in 2017. 

Some of these aged and unaddressed vulnerabilities may be a result of organizations adopting a more risk-based approach to remediating vulnerabilities where older low risk-rated patches are not applied. However, this may also be a sign of the ongoing struggle with managing legacy IT environments and the risks that come with older technology solutions. Organizations should continually evaluate unpatched systems and address those vulnerabilities, which pose the most significant risk to the environment.

Industries that experienced the most incidents and breaches were mining & utilities, entertainment, public administration/government and health care, with these four industries accounting for approximately 40% of incidents and 35% of total confirmed data breaches. Taking a closer look at these four industries brings to light some interesting trends.

The mining & utilities and health care industries had much higher than average conversions rates, with the majority of reported incidents resulting in actual security breaches.

• Mining & Utilities: 355 breaches out of 506 incidents for a 70% conversion rate
• Health Care: 472 breaches out of 655 incidents for a 72% conversion rate

Conversely, the entertainment industry had a much higher number of reported incidents, with only 109 breaches reported out of over 7,000 incidents for a conversion rate of only 1.5%. This low conversion rate is primarily driven by the fact that the main motive of entertainment industry incidents was to disrupt service via denial of services attacks.

Social engineering attacks look to be a favorite attack vector when targeting the mining & utilities and public administration/government industries. Social engineering attacks against mining & utilities targets have doubled year over year since 2018 as attackers continue to focus more efforts on breaching operational technology (OT) environments to steal data and hijack control systems. As many OT environments are established behind numerous layers of technical fencing, attackers are focused on obtaining credentials, one of the main outcomes from successful social engineering attacks that will ultimately provide access into these well-protected environments. This highlights the need for organizations in these industries to increase efforts to educate users on how to identify and thwart social engineering attacks, take additional steps to mitigate the loss of credentials and place a greater effort on protecting privileged access accounts in OT environments.

In both the entertainment and health care industries, small to mid-size companies (fewer than 1,000 employees) were targeted more frequently than their larger counterparts. When smaller companies experienced a breach, it typically took longer to discover the breach when compared to larger companies. Smaller organizations were attacked on the same frequency as larger organizations, but they were challenged in defending against and responding to the attacks due to resource constraints and outdated security tools. While having documented and tested plans for how to respond to security incidents has typically been seen as something only large organizations need to do, the increase in smaller organizations being targets of attacks points to the need for organizations of all sizes to have plans in place for how to respond to security incidents and breaches.

Although each industry is different, the type of attacks they face, breaches that occur, and attack targets are similar from one industry to the next. Social engineering (phishing), stealing credentials and denial-of-service attacks continue to remain the most popular type of attacks. Ransomware is the most talked about topic in the news today, but it isn’t one of the most common attack methods. Still, ransomware should remain on the security radar of all organizations.

For the most common attacks, companies can take practical steps to reduce the likelihood of these attacks being successful and limit the impact when a breach does occur:

• Implementing and consistently delivering end-user security training;
• Focusing on access management controls, especially around managing privileged access and monitoring account activity on a regular basis;
• Configuring assets and software securely;
• Understanding the security practices of key service providers; and
• Developing a plan for how to respond when a breach does occur.

For information about the report or about preventing data breaches in your organization, contact us. We are here to help.

©2021