IT and security leaders increasingly see data-driven decision making as the key to strategic success. But that puts an increasing amount of pressure on to ensure the data itself is current, accurate, high quality and free of vendor bias. Few resources are as useful as Verizon’s Data Breach Investigations Report (DBIR), which each year combines information from the firm’s own forensic investigations and countless third-party sources. These provide highly detailed insight into the threat landscape—this year distilled from 16,312 incidents and 5,199 data breaches.
The big picture is this: enterprise data has never been more exposed to external attacks. It should provide yet another reason to double down on data-centric security as a core priority.
New for 2023
Over the years, the DBIR has shone a light on threat activity via analysis of over 950,000 incidents—of which more than a quarter of a million were confirmed breaches. The 2023 report highlights the following:
Most attacks come from outside: External threat actors were responsible for 83% of breaches over the past year, while 95% of breaches could be traced back to financial motives. That aligns with the fact that most attacks today are carried out by organized criminals, despite eye-catching headlines about nation state threats. In fact, more breaches were caused by insider threats than were triggered by state-sponsored attacks, according to the report.
Stolen credentials were the main source of illegal access: They accounted for nearly half (49%) of breaches, followed by phishing (12%) in a distant second. Both highlight the outsized role that human error plays in breaches. Vulnerability exploitation (5%) was the third most popular way attackers gained entry to victim networks.
Humans are a major source of risk: The “human element” was present in three-quarters (74%) of breaches, due to: use of stolen credentials, social engineering tactics, unapproved use of legitimate privileges, misconfiguration and misdelivery of sensitive information.
Insiders are still a threat. While negligence plays a bit role in insider risk, there is an undeniable element of malicious activity happening inside some organizations. This is especially true of the public sector, where internal (30%) and “multiple” (16%) sources accounted for a significant share of breaches. When multiple sources are referenced, it means that third-party actors team up with government employees and/or partners to further their goals. The share of breaches linked to internal threat actors rose from 22% last year, while the share of “multiple” actor breaches was zero over the past two years of the DBIR.
Ransomware isn’t going anywhere: Ransomware is a critical threat to data today, due to the use of “double extortion” tactics where sensitive information is exfiltrated from a victim organization before systems are encrypted. Ransomware was present in a quarter (24%) of breaches over the past year, and remains a major threat for organizations of all sizes and across all verticals. Median costs related to these attacks more than doubled to $26,000.
Time to protect what matters most
This insight into the threat landscape tells us much about where organizations should be focusing their cyber risk management efforts. If bad actors are exploiting vulnerabilities, then it’s important to patch. And user awareness training should be updated to help mitigate the risk from phishing.
Tighter access policies and controls like multi-factor authentication (MFA) can also help to stem the threat from stolen credentials. However, such controls may be limited by continuous innovation by threat actors. One recent report claims that MFA bypass phishing kits are increasingly used by cyber-criminals—responsible for over one million phishing messages per month last year.
If threat actors are therefore able to bypass perimeter and access controls with ease, a greater focus must be placed on protecting the data itself. The data-centric security approach recommended by comforte ensures that:
- Data is discovered and classified continuously, wherever it is located in the enterprise
- Strong protection is applied to that data, including tokenization techniques which enable it to be used for analytics and in other scenarios
- Data protection mechanisms integrate transparently with data flows and apps for fast time to value
- Deep integration with VMware and Kubernetes to support DevOps and automation