Latest data breach investigations report spotlights human frailty and unpatched software as top vulnerabilities. Again.
Each year around this time, Verizon releases an analysis of security incidents and data breaches around the world. Because Verizon manages 4,200 networks and nine security operations centers globally, and processes 34 trillion raw logs each year, the telecom firm is in a unique position to collect, evaluate, and report on cybersecurity threats.
In preparing its 2024 Data Breach Investigations Report (DBIR), Verizon analyzed 30,458 security incidents, which included 10,626 confirmed breaches, that occurred in 2023. According to the May 1 Press Release, that’s double the number from 2022, which should be a source of concern all by itself. However, there is more disturbing news this year.
General Observations
A few general observations from the 2024 data breach report are worth noting before we delve deeper into the major news.
- Stolen Credentials. Over the past ten years, the use of stolen credentials has appeared in almost one third (31%) of all data breaches. The year 2023 witnessed a reduction in the use of stolen credentials, although it is still the predominant factor in cybercrime at 24%.
- Extortion. Running a close second in 2023 was ransomware at 23%. However, the ransomware statistic is misleading unless combined with other forms of extortion, which accounted for 9% of data breaches in 2023. In combination, these two forms of extortion contributed to one third (32%) of all data breaches in 2023. Extorting payments from victims continues to be a profitable business for cybercriminals.
- Pretexting. Pretexting refers to cybercriminals making up scenarios to steal sensitive information, such as ‘needing to confirm the target’s identity’ for a false reason. Incidents involving pretexting accounted for one fourth of financially motivated attacks in the past two years of data breach reports. The majority of these exploits were designed to compromise business email. In both years, the average transaction amount of a business email compromise (BEC) scheme was roughly $50,000, according to the FBI Internet Crime Complaint Center (IC3).
- Third Party Risks. Also in 2023, 15% of all data breaches involved a third party. These include data custodians (such as cloud storage or processing providers), third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric, which is new in the 2024 report, shows a 68% increase from the previous period. Supply chain issues have been making headlines in recent years and it’s not surprising to see this being tracked in the data breach investigations report.
The 2024 data breach report offers keen insights into several prevailing risks, including issues related to known vulnerabilities, phishing schemes, and ransomware exploits. Sadly, these three issues continue to dominate, year after year, without much improvement.
Known Vulnerabilities: The Gift That Keeps on Giving
In 2023, attacks that involved the exploitation of vulnerabilities as the primary path to a data breach increased 180% from the previous year’s report, due in large part to a series of attacks exploiting MOVEit Transfer from Progress Software. Three critical vulnerabilities in this widely used software were announced in May and June 2023, with the software firm issuing three patches in an attempt to secure the software. However, extensive damage had already been done, as the 2024 data breach report confirms.
In addition, as happens with all software updates released for customer implementation, too many users fail to promptly install the patches, which allows known vulnerabilities to remain open and exploitable. Having a decided preference for low-hanging fruit, cybercriminals continue to take easy advantage of these failures.
According to the Verizon press release, an analysis of the Known Exploited Vulnerabilities catalog maintained by the Cybersecurity Infrastructure and Security Agency (CISA) revealed that it takes organizations an average of 55 days to remediate 50% of critical vulnerabilities once software patches are made available. That’s almost two months for an IT team to find time to install half of all critical security updates to software applications used by their organizations. Ouch.
Reducing the Attack Surface. Prompt patching. Prompt patching. Prompt patching. This is probably the single most important action organizations can take to reduce the risk of data breaches by reducing vulnerabilities. Taking a longer view, CISA strongly urges software developers to focus on addressing recurring classes of software defects. In beginning to make software more secure by design, inherent vulnerabilities and the resultant need for serial patching can be reduced over time.
Chris Novak, Sr. Director of Cybersecurity Consulting for Verizon Business, offers a related observation in the report, noting that cybercriminals have no reason to change or expand their exploit strategies when unpatched software continues to provide them with easy, unlimited opportunities.
Phishing Schemes: Exploiting Human Frailty
Over two thirds of data breaches (68%) in 2023 resulted from an individual either making an error that left their organization vulnerable, or falling for a social engineering exploit, such as a phishing scheme. This percentage tracks with the previous year.
Although phishing continues to be an active threat, victim reporting of phishing schemes has been improving over the past few years, according to the 2024 data breach report. In 2023, 20% of users reported they were exposed to a phishing scheme and 11% of users who clicked the phishing email also reported it. On the flip side, the average time to click on a malicious link after opening a phishing email is 21 seconds, and for a victim to enter their personal data takes only another 28 seconds. This means that phishing schemes can hook their targets in under 60 seconds.
Human frailty continues to contribute to the majority of data breaches. Every organization has employees who are too busy, stretched too thin, inadequately trained, untested, negligent, distracted, or just plain careless. That’s why employees are the weakest link in the security chain, year in and year out.
The Importance of Training to Thwart Phishing. Frequent cybersecurity training is as vital an element of regulatory compliance as a robust firewall or a strong password policy. The absence of repeated, focused, complete cybersecurity training is dangerous, and not only for the organization. It’s dangerous for employees, partners, and other stakeholders who may also suffer the consequences of a data breach.
Research suggests that we forget roughly half of all new information within an hour of learning it. And that we can only digest six to nine data points in a single session. These two simple facts confirm what professional trainers have long known: that training must be delivered in short sessions, offered in multiple formats to suit individual learning needs, include testing at intervals throughout, and repeated frequently.
Cybersecurity protocols and best practices are neither innate nor intuitive—they must be taught to employees. (And don’t overlook cybersecurity awareness training for management; whaling schemes have hooked more than one unwary executive.) Certain forms of cybercrime change frequently, and training must be updated to address new threats, new ransomware exploits, and new social engineering schemes. For these and other reasons, cybersecurity awareness training pays big dividends for employers.
Ransomware: Profitable and Relentless
As noted in General Observations above, the spike in extortion crimes, including ransomware, accounted for one third (32%) of all data breaches in 2023. These are the two most successful ways to monetize a data breach, according to the Verizon report.
Ransomware complaint data compiled by the FBI Internet Crime Complaint Center indicates the average loss associated with extortion crimes, including ransomware, is $46,000 for 95% of documented cases, despite the FBI advising against ransom payments. The median ratio of the initially-requested ransom amount to the victim company’s annual revenue fluctuates between 0.13% and 8.30% in 80% of documented cases. Between 2013 and 2019, it is estimated that over $144 million in Bitcoin was paid as ransom.
Commercial businesses across industries continue to be targeted by extortionists, in large part because victims continue to pay. And public sector organizations are far from immune. In fact, the federal government is especially concerned about ransomware attacks on the networks of police and fire departments; state, local, tribal, and territorial governments; municipalities; hospitals; and other critical infrastructure. These attacks can delay first responders in emergencies or prevent hospitals from being able to use lifesaving equipment, as just two examples.
Tallahassee Memorial Healthcare was offline for two weeks as the result of a suspected ransomware exploit in 2023, during which the hospital had to rely on paper documentation and reroute emergency cases to other hospitals, along with additional disruptions. 
Reducing Ransomware Risk. Regular data backups are fundamental to thwarting ransomware exploits. Back up your data, system images, and configurations. Test your backups—and store them offline where hackers can’t get to them. Use multifactor authentication. Tighten access controls. Install strong, reputable antivirus and antimalware programs. Keep your security technology and software up to date. And review and test your incident response plan. Do everything you can to remove the low-hanging fruit that is so tempting to cybercriminals. And keep up with laws regarding ransomware, because they are changing.
Summary
In its 2024 data breach report, Verizon analyzed 30,458 security incidents, including 10,626 confirmed data breaches, that occurred in 2023—double the number from 2022. Sadly, the exploitation of known vulnerabilities, the success of phishing schemes, and the easy profits from ransomware have been recurring themes in recent years. We just don't seem to learn.
Solutions are available today that can substantially reduce these risks for organizations willing to implement them. Given the steadily rising costs of data breaches, an ounce of prevention is definitely the less expensive strategy.
