Verizon 2021 Data Breach Investigations Report – a CISO’s Guide
For those of us in the security industry, we always look forward to the release of Verizon’s Data Breach Investigations Report (DBIR). This report has been released annually for the past fourteen years and provides insights into cyber threats, controls. This year they analysed close to 80,000 incidents across different industry sectors in 88 countries.
Many of the findings and trends may not be a surprise to some of us, based on what we have seen over the past few years and given the situation that we find ourselves in due to the global pandemic.
We’ve read through the 119-page Verizon 2021 Data Breach Investigations Report and have picked out what we think are key findings if you are a CISO; of course we would recommend that you read the actual full report itself as it’s a worthwhile read which can help with your financial modelling, business case development, educating your Board, or a sense check against your existing security strategy and level of investment.
First, a few findings that we found more surprising
- 99% of Privileged Misuse cases (which the report defines as “incidents predominately driven by unapproved or malicious use of legitimate privileges”) were attributed to internal threat actors; and
- The financial sector “frequently faces credential and ransomware attacks from external actors”. But it was also reported that “misdelivery represents 55% of financial sector errors”. Misdelivery is where employees send data to the wrong recipients, and this in turn potentially results in personal data breaches.
And probably less surprising, but still noteworthy:
- “85% of breaches involved a human element”. Social engineering continues to increase, where “phishing is responsible for the vast majority of breaches in this pattern with cloud-based email servers being a target of choice.”
- Ransomware continues to increase over the years, and “monetisation through Ransomware seems to have become the preferred method” and “attackers are less likely to purely target payment data”.
- Within the Basic Web Application Attacks incident classification pattern, “almost all (96%) of those mail servers compromised were cloud-based, resulting in the compromise of personal, internal or medical data.”
In terms of understanding the financial impact of a data breach, the report also describes that 1,000 Monte Carlo simulations were run based on the year’s dataset and the most common 95% of impacts ranged between $826 and $653,587, and an organisation’s stock price devaluated around 5%.
So, what controls should I be thinking of as a CISO?
Our interpretation of the report indicated that organisations are still struggling with ‘the basics’ i.e. foundational security controls. The likelihood and potentially impact of incidents and breaches could be reduced by:
- Investing in the ‘human element’ – there isn’t a silver bullet when it comes to security awareness and education, but embedding security into the organisational culture is key;
- Ensuring basic web application security and security architecture is in place, in particular for cloud-based assets;
- Considering DDoS mitigation services (it was reported that 95% of incidents fell between 13 Mbps and 99 Gbps, which is “an easily mitigatable range”);
- Mitigating old vulnerabilities, as these continue to be exploited by attackers; and
- Getting a handle on identity and privileged access management (where it was reported that “61% of breaches involved credentials”).
Consider use of various security control frameworks such as CIS Controls (with version 8 recently released), NIST, and SANS.