Key takeaways from the 2019 Verizon Data Breach Investigations Report

Verizon’s annual DBIR (Data Breach Investigations Report) is among the most valuable studies in the security industry, so the release of the 2019 edition this week is cause for celebration.

The reports are renowned for detailed analysis, with the latest study delving into more than 41,000 security incidents. They’re also known for their surprisingly entertaining prose, so we recommend you give it a read when you can.

Unfortunately, the reports don’t speculate on possible interpretations of the data, leaving that to independent experts. We’ll be offering our insights in the coming weeks, but in the meantime, we’ll run you through some key findings.

Criminals are following the path of least resistance

Social engineering is often regarded as the easiest method of cyber crime, because it can be conducted in bulk and with minimal hacking expertise. More to the point, targets are poor at identifying malicious emails, meaning attacks have a high success rate.

Such attacks have always been popular, but Verizon’s report indicates that crooks are conducting more phishing and business email compromise scams than ever.

Alex Pinto, the head of Verizon security research, said of such scams: “It’s the game of security. We make something harder, so the criminals switch to the next easiest thing that will keep their money flowing.”

He added: “Why bother hacking companies when [you] can just email the CFO and get him to send [you] money?”

That Pinto uses the example of a senior employee is telling. Verizon found that scammers are increasingly targeting C-level executives in an attempt to steal money. The report found that, compared to 2017, senior employees are twelve times more likely to be sent phishing scams and nine times more likely to fall victim.

A similar trend is occurring in bank fraud. The introduction of chip and PIN has made card-present fraud much harder, because even if crooks steal or clone a card, they don’t have the credentials to make payments over the counter.

But instead of reducing bank fraud, chip and PIN has led to criminals shifting to card-not-present fraud. This typically involves accessing payment card details from an organisation’s database and using the details to make online purchases.

Whereas criminals would historically access these records by planting malware on point-of-sale systems, Verizon has found that crooks are now primarily using web application attacks. This is a specific type of hacking method in which cyber criminals exploit vulnerabilities in an organisation’s website for their own ends. In this case, the crooks are typically using malware, bots or SQL injection to access the contents of databases containing financial records.

For an idea of how dramatic this change in tactic has been, consider that, since 2015, Verizon has found that point-of-sale breaches have decreased tenfold, while web application breaches occur thirteen times more often.

Other important statistics

  • Financially-motivated social engineering attacks are behind 12% of all breaches analysed.
  • Ransomware is still among the biggest threats, accounting for 24% of the malware incidents analysed.
  • External threat actors are still the primary force behind attacks (69% of breaches), with insiders accounting for 34%.
  • There has been a noticeable shift towards financially motivated crime in the education sector, with such breaches accounting for 80% of all attacks.
  • Healthcare is still the only sector to show a greater number of insider attacks (56%) compared to external attacks (43%).
  • Medical data is 18 times more likely to be compromised when an internal actor is involved, and the most likely threat actor is a medical professional such as a doctor or nurse.
  • Cyber espionage increased in the public sector in 2018, but 47% of breaches were only discovered years after the initial attack.

For an in-depth discussion of these statistics, keep an eye on our blog in the coming weeks, or subscribe to our weekly newsletter to receive updates on the latest industry news and advice.