To effectively mitigate cyber incidents, security practitioners need to understand trends and patterns related to cybercrime. The annual Verizon Data Breach and Investigations Report (DBIR) takes a data-driven look at cybercrime and its trends and impacts on organizations. This year marks the 15-year anniversary of the DBIR. After a decade-plus of analyzing over 914,547 incidents, 234,638 breaches, and 8.9 TB of cybersecurity data, it remains a relevant reflection on the risks organizations face.
For the third year, Coalition provided Verizon with access to our Coalition internet scanning data. This data is part of our Active Risk Platform, which analyzes complex sets of public data, threat intelligence, and proprietary claims information to create personalized risk assessments and threat monitoring. We use this data in conjunction with our proprietary claims and incident data to generate a ranking — a measure of an organization's risk and security posture — available to all Coalition Control users via our Cyber Risk Assessment (CRA). Coalition brokers, policyholders, and free Control users all receive a copy of the CRA.
Like our CRA and our Cyber Claims Report, the DBIR includes a comprehensive set of data that outlines how threat actors use cybercrime to target organizations large and small. Here's our take on the key findings for this year's report and how they relate to cyber insurance — an important risk mitigation factor in today’s digital economy.
The 2022 DBIR includes an analysis of 23,896 security incidents, including 5,212 confirmed data breaches, with the incidents described taking place from Nov. 1, 2020, to Oct. 31, 2021. A key point to note is that while there may seem like innumerable ways threat actors compromise your network, there are four key paths: credential compromise, phishing, exploiting vulnerabilities, and botnets. Years of reports have proven that the cyber landscape is unpredictable and threat actors are first and foremost opportunistic; no organization is safe without an appropriate plan, security controls, and tech stack to mitigate all four threats.
Unsurprisingly, financial gains remained the top motivation for threat actors, which has been the top motive since the DBIR began to track it in 2015. Espionage remains the secondary motive, and has also held this spot for years.
A notable finding that stood out from other categories was the potential for one large-scale attack to reset the entire cyber landscape. The DBIR noted that 2021 illustrated how a single supply chain attack (SolarWinds) could lead to a wide range of consequences, and data found that the supply chain was responsible for 62% of system intrusion incidents in the report.
The human element remained a factor in a staggering 82% of breaches this year. Whether through stolen credentials, phishing, misuse, or simply user error — humans continue to play a large role in incidents.
The 82% is split between phishing attacks and what the DBIR defines as pretexting attacks, commonly associated with business email compromises (BEC).
Only 41% of BECs involved phishing. Of the remaining 59%, 43% involved stolen credentials.
There was a 10% increase in the number of reported phishing test emails over the last half decade.
Security awareness training has the potential to increase positive cybersecurity behaviors such as good password habits and not clicking suspicious links.
The DBIR saw an upward trend in ransomware attacks with "an almost 13% increase, as big as the last five years combined (for a total of 25% this year)." What this means is ransomware remains a threat.
Interestingly, while there is diversity among ransomware variants and gangs (such as Conti or REvil), the latter of which Coalition has seen rapidly shift places in terms of prevalence, the ways ransomware infects your network are actually limited:
The DBIR observed that of all ransomware incidents, 40% involved the use of desktop sharing software (such as remote desktop protocol, or RDP), and 35% involved email.
They advised locking down external-facing infrastructure, especially RDP and email, as a ransomware mitigation tactic.
Historically, there is a precedent of RDP perpetuating ransomware attacks.
While ransomware first showed up in the 2008 DBIR report, a few years later, in 2013, they found RDP as a viable method to access an organization’s network, noting that once inside, threat actors would alter a company’s backups so that they continued to run each night without actually backing up any data.
To know your risk, log in to Control, free for all organizations, to see the latest scan results.
The DBIR notes: "Threat actors have the 'we'll take anything we can get' philosophy when it comes to cybercrime." Cyber incidents can and have put very small organizations out of business, and for the 2022 report, startling insights were found in this category:
The report highlights threats facing very small businesses as defined by 10 or fewer employees for the first time.
Of 832 incidents, 130 had a confirmed data disclosure.
Ransomware was the number one dataset for very small businesses; the second was stolen credentials.
Very small businesses have limited resources to respond to a cyber attack; something that may be enticing to threat actors.
A cyber insurance provider can be a good partner in managing and mitigating the risk that all businesses face as part of the cost of operating in today's digital economy. Organizations that piecemeal their defense technologies or have lax cyber security habits are prime targets for opportunistic threat actors.
Coalition uses data to provide insights to enable and incentivize good cybersecurity habits. Our CRA and monitoring technology within Coalition Control helps small and medium-size organizations protect themselves in a digital world. We learn from every scan, incident, and claim. This information is part of our CRA, which we share back with the brokers who support Coalition policyholders as well as free Coalition Control users.
Check out the Coalition 2022 Cyber Claims Report to see how claims and incidents impacted our policyholders.