There’s a line on page 53 of the report that co-author Gabriel Basset, senior information security data scientist at Verizon, especially likes. “Why don’t we skip all the hard hacking and just, you know, ask for the money?” This is essentially the theme of this year’s report.
“Attackers are looking for the easy path to their goals and we see it in the executive attacks because executives have direct access to transfer money,” Basset said. “We see it in the rest of the social engineering attacks, we see it in the credential-based attacks, and we see it in the phishing attacks.”
In fact, 71% of the breaches analyzed in this year’s report were financially motivated.
This is the 12th edition of the annual report and it has the highest number of global contributors (73) to date. It analyzed 41,686 security incidents, which included 2,013 confirmed breaches. The increase in contributors also led to an increase in data to analyze, totaling about 1.5 billion data points of non-incident data.
This year’s report also includes new metrics and analysis for the first time from the FBI Internet Crime Complaint Center (IC3). Analysis is based on honeypot and internet scan data.
Unsurprisingly, financial gain remains the most common motive behind data breaches, and financially-motivated social engineering attacks (12% of all data breaches analyzed) are a major topic in this year’s report. It also found that C-level executives are twelve times more likely to be the target of social engineering attacks and 9 times more likely to be the target of a social breach compared to previous years.
“Executives are in the unique position to transfer money without additional controls,” Basset said.
Senior executives quickly reviewing and clicking on emails means suspicious emails are more likely to get through. The report found that the increasing success of social attacks such as business email compromises, which represented 370 incidents or 248 confirmed breaches, can be linked to the combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.
Some other interesting statistics from the report:
- 52% of breaches involved hacking.
- 33% of breaches included social attacks.
- 28% of breaches involved malware.
- 32% of breaches involved phishing.
- 29% of breaches involved the use of stolen credentials.
- Errors were causal events in 21% or breaches.
- 56% of breaches took months or longer to discover.
Attackers continue to take short attack paths compared to longer ones — meaning they prefer fewer steps to accomplish a breach. And because of this, companies should focus on preventing easy attacks like phishing and credential stuffing, Basset said.
“Turn on two-factor identification,” he said. “When I started doing the DBIR four years ago, I said this is the year you should turn on two-factor authentication.”
“Also giving your employees password managers and helping them use them guarantees that your employees will use a unique password for every site they visit and won’t use those passwords for your systems,” Basset added.
In other words: turn off the easy button for attackers.