CyberClub

Cyber criminals are deploying new and innovative lines of attacks along with variations on tried-and-true methods that remain successful, Verizon’s 2024 Data Breach Investigations Report has found.

The report, now in its 17th year, analyzed more than 30,000 real-world security incidents, including a record high of just over 10,000 confirmed data breaches, spanning 94 countries.

“We’ve seen an overall increase in the volume of data breaches as the threat landscape continues to expand,” Rob Le Busque, regional VP at Verizon Business, told CSO.

The top three most popular vectors for data breaches were unauthorized uses of web application credentials, email phishing and exploiting vulnerabilities in web applications, when excluding errors and misuse, typically honest mistakes by employees. It paints a picture of a complex, changing environment of global cyber-crime impacting organizations of all sizes and types.

Main findings of Verizon’s data breach report

In all, the report reveals areas where organizations need to be more vigilant and where the results of awareness training are showing positive signs.

1. MOVEit zero-day vulnerability drives big jump in breaches

The headline finding for this year is the almost triple increase (up 180%) in attacks involving the exploitation of vulnerabilities. Not surprising in the year that saw the mass exploitation of the MOVEit zero-day vulnerability and other similar ones.

These attacks were primarily leveraged by ransomware and other extortion-related threat actors, and the main entry point was web applications, the report noted.

Analyzing the data also reveals a significant area of weakness among many organizations — bad actors are more quickly harnessing vulnerabilities than organizations can patch them. It takes organizations approximately 55 days to fix half of these vulnerabilities, while large-scale scanning for those same vulnerabilities by threat actors is happening within five days, Verizon found.

While many organizations have robust, mature vulnerability management and patching programs, complacency can be a danger when it comes to reviewing these elements of the cybersecurity posture.

“Going forward, they need to dust off those plans, relook at the strategies and even increase funding to elevate the level of risk and importance patching has,” said Le Busque.

2. Ransomware and extortion attacks continue to grow

Attacks involving ransomware or extortion have seen strong growth over the past year, accounting for a high of 32% of all breaches. Given the prevalence of ransomware attacks, it was a top threat across 92% of industries, and the average cost of attacks was also on the up.

“It suggests a refining and maturity of ransomware attacks because criminals are gaining a higher payout for the same effort,” Le Busque told CSO.

It also reveals a cybersecurity truism, that ransomware is a business for cyber criminals and financially motivated threat actors invariably utilize attack techniques providing the best return on investment.

3. The human element still accounts for a substantial percentage of breaches

Some 68% of breaches, roughly the same as the previous year, involve a non-malicious human element, demonstrating how people remain a vulnerable link in the security chain. This indicates that there’s still significant scope for security awareness to reduce the impact of breaches on organizations.

“The more we educate and train people and the more awareness we can build, both at a company level and as an industry, the better off everyone will be,” said Le Busque.

4. Unintended errors are leading to incidents

Breaches involving errors are growing, accounting for almost a third of incidents in 2023. Errors include misconfigurations, clicking on links and sending information or data unencrypted outside of the organization that falls into the wrong hands.

The inclusion of several new mandatory breach notification entities may have helped push this up, the report noted. Given these directives now compel some organizations to declare incidents, it suggests that until now these types of errors have been more common in breaches than media or traditional incident response-driven data has suggested.

For organizations, it reveals there’s an opportunity to tighten the guardrails to ensure stronger adherence to security governance procedures and eliminate avoidable lapses as much as possible.

“It’s ensuring robust policies and frameworks around data governance that help reduce the opportunity for these errors to be made,” Le Busque said.

5. Education is improving how people identify phishing attempts

The 2023 data showed that 20% of people correctly identified phishing in simulation engagements, while 11% of people who clicked on an email also reported they had done so. This continues an upward trend where the rate of users reporting phishing in simulation engagements has been rising over the past few years.

It represents a positive sign that organizational education and awareness training continues to be working to help people identify phishing attempts.

However, the median time for someone to fall for a phishing email is less than 60 seconds, giving organizations just a small window of time to base their education around. “We need to continue building awareness because real time responsiveness is critical,” he said.