C-level executives, increasingly and proactively targeted by breaches, correlated to a social-engineering attacks rise with financial motivation warned the “Verizon 2019 Data Breach Investigations Report,” which analyzed 41,686 security incidents.
The 12th DBIR, built on data derived from 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide, found senior executives 12 times more likely social incident target, and nine times more likely social breaches targets than in previous years. Financially-motivated social engineering attacks (12% of all data breaches analyzed), a key topic in this year’s report, highlighted the critical need to ensure all levels of employees understand the potential effect of cybercrime.
The report acknowledged a fruitful pretexting attack on senior executives can obtain large dividends because of often unchallenged approval authority, and privileged access into critical systems. Typically, time-starved and under pressure, senior executives hurriedly review and click on emails before moving to the next message (or have assistants managing email on their behalf), making suspicious emails more likely to pass through. The swelling success of social occurrences such as business email compromises, which represented 370 incidents or 248 confirmed breaches of those analyzed, present an unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience,” George Fischer, president of Verizon Global Enterprise commented. He noted how execs often review supply chain data, video, and other critical – often personal –at eye-blink speed, changing how applications utilize secure network capabilities. “Technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape, so you can develop and action a solid plan to protect your business against the reality of cybercrime.”
This year’s findings also highlighted the rising tendency to share and store data within cloud-based solutions exposes companies to additional security risks. In addition, publishing errors in the cloud are increasing year-over-year. Misconfiguration (“Miscellaneous Errors”) led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records analyzed in the DBIR dataset. This accounts for 21% of breaches caused by errors.
Bryan Sartin, executive director of security professional services at Verizon, commented, “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed. They really need access to cyberdetection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyberthreats.”
Other major findings of the 2019 report included:
- New analysis from FBI Internet Crime Complaint Center highlighted how when the IC3 Recovery Asset Team acts upon BECs, and works with the destination financial institution, half of all U.S.-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered.
- Attacks on human resource personnel decreased six times with W-2 tax form scams almost disappearing from the DBIR dataset.
- Chip and PIN payment technology has started delivering security dividends with the number of physical terminal compromises in payment card related breaches decreasing compared to web application compromises; and a continued reduction in card-present breaches involving point of sale environments and card skimming operations.
- Ransomware attacks still account for nearly 24% of incidents using malware.
- External threat actors are still the primary force behind attacks (69% of breaches) with insiders accounting for 34%.
The report also cited one still distressing discovery: Adversaries are utilizing social engineering tactics on users and tricking them into providing their web-based email credentials, followed by the use of those stolen creds to access the mail account.
Cybersecurity experts offered comments in response to the DBIR’s issuance:
“If one theme in particular stood out, it was the prevalence of credential theft as a consistent factor in the data breach equation. This is of course no surprise, just as it is no revelation that the ultimate target for any attacker is successfully compromising and exfiltrating data the credentials supply access to,” Adam Laub, SVP Product Management, at Hawthorne, N.J.-based STEALTHbits Technologies, said.
Michael Magrath, director, global regulations and standards, of Chicago-based OneSpan, suggested. “The use of stolen credentials on banking applications remain common.” He added, until regulations mandate strong customer authentication hackers will continue to steal login credentials. “However, with secure, frictionless authentication solutions becoming commonplace, the use of stolen credentials is expected to significantly drop in future reports.”
George Wrenn, CEO, Boston-based CyberSaint Security, said, “The drastic increase in social attacks on C-level personnel points to the increased demand for cybersecurity awareness in the C-suite.” More and more we are seeing information security leaders brought into business side discussions to provide cyber-focused insights and feedback on business strategy.”