Over four out of five data breaches in 2021 involved “human error,” three out of five started with a vulnerability in a supply chain partner, and ransomware was involved in one out of four attacks. Those are some of the lead items from the 2022 Verizon Data Breach Investigation Report (DBIR), which draws from over 23,000 incident reports collected by 87 different organizations.
DBIR: Lots of financially motivated crimes, a small dash of espionage
The 2022 DBIR finds that at least 90% of data breaches are attempts at financially motivated crime, with nearly all of the remainder made up of espionage (in turn almost entirely conducted by nation-state threat groups).
In terms of financially motivated crimes, ransomware remains the most popular type of attack and continues to grow in both frequency and complexity. It is not only becoming easier, chiefly due to the spread of ransomware-as-a-service offerings that handle most of the heavy lifting once a network has been penetrated, but also allows criminals to monetize any sort of data breach involving any sort of organization. Even non-profit organizations, schools and hospitals are now frequent targets. And when attackers happen upon a “big fish” they can wind up making millions of dollars overnight.
The vast majority of global data breaches (4 out of 5) in 2021 were caused by an external attacker. That number rises to 9 out of 10 in North America. All of these are familiar patterns for those that have followed the DBIR’s findings in the past decade or so, but the numbers continue to be similar even as the sample size greatly expands. Stolen credentials and phishing are the leading ways that cyber criminals penetrate networks, ransomware is the way in which they most frequently monetize these intrusions, and managing the human element of defense continues to be the central challenge.
Attackers show greater interest in small businesses
Attackers are increasingly targeting very small businesses, to the point that this edition of the DBIR introduces a section focusing on the phenomenon. These are businesses with no more than 10 employees, likely unable to maintain adequate IT security without contracted outside help.
Data breaches involving very small businesses end in deployment of ransomware 80% of the time, reflecting the fact that organizations of this size often don’t tend to have much data of value for attackers to steal. This is only worth the time of attackers due to a great deal of automation, with bot networks searching out known vulnerabilities and automating much of the process of trying passwords and known vulnerabilities. This theory is supported by the DBIR’s finding that almost 80% of these incidents involve the use of stolen credentials, with attackers likely getting the usernames and passwords from other breaches and finding numerous opportunities for login re-use.
14% of the 2021 DBIR data breaches were also the result of some sort of misconfiguration, usually of a cloud storage account. This allows anyone with internet access to walk right into private databases, no real hacking required.