Despite its startling statistics — 86% of data breaches are financially motivated, up from 71% in 2019, and web application attacks doubled to 43% this year — the latest Verizon data breach report is a good news security story, insists co-author and Verizon data scientist Gabriel Basset.

“The things we are doing around patching and preventing vulnerabilities are working,” he said. “Keep doing what you are doing in your organization. It is helping your security — it’s working. Focus on phishing and credentials and human errors but keep doing what you are doing.”

Verizon this week published its 13th-annual "Verizon Business 2020 Data Breach Investigations Report." It analyzed 32,002 security incidents, of which 3,950 were confirmed breaches; almost double the 2,013 breaches analyzed last year. These cases came from 81 global contributors from 81 countries, and the analysis also now covers 16 business sectors.

As with all of the earlier Verizon reports, the 2020 DIBR found the vast majority of breaches continue to be caused by external actors. This year it hit 70% with organized crime accounting for 55% of these. Credential theft (37%) and social attacks such as phishing (25%) and business email compromises caused the majority of breaches (over 67%), and human error accounted for 22%.

Additionally, the 2020 DIBR found a two-fold increase in web application breaches compared to 2019, which jumped to 43%. Stolen credentials were used in more than 80% of these cases.

While the report authors analyzed the 32,002 security incidents before the COVID-19 pandemic closed businesses across the globe and forced almost all of the still-employed workforce to telecommute, the DIBR findings highlight a worrisome trend given the increased numbers of people working from home and companies moving more business-critical workloads to the cloud.

The collection period for the 2020 report ran from Nov. 1, 2018 to Oct. 31, 2019. “So it didn’t cover the COVID-19 time period, but some of the findings are directly applicable to the COVID-19 situation,” Basset said, pointing to the web application breaches. “Many organizations have made this transition, from traditional domain controllers and desktop computers, all within a secure boundary, to the type of [cloud] architecture used for large, distributed businesses. Because a lot of companies have made that leap, attackers are going there, and using [stolen] credentials.”

Companies that are just now making that transition to the cloud because of the pandemic are in a particularly tough spot because attackers have already moved, he added. “And now organizations with traditional, on-prem architecture are forced to move into this off-prem architecture that already houses the attackers.”

The report also includes a section that details the paths attackers take in a breach attempt — essentially the steps they must complete for a successful attack. This helps organizations understand the attackers’ paths and also gives the organizations the advantage in choosing where to intercept them. “It offers an opportunity to show defenders another way to improve their defense,” Basset said.

For example: a phishing attack. “Do I want to not allow any phishing emails into my organization? Or stop it at my users and get them to not click on any phishing emails? Or maybe get them to report phishing emails? Maybe I want to stop the attack at the next step — phishing leads to a malicious website or domain or executable. So I may want to say I’m going to look for files coming into my domain through email and prevent attacks through preventing malware from running within my organization. The point is you get to pick where you stop the attack, or you can stop it in pieces along the way.”

Plus, attackers prefer short paths to attacks because these provide a better return on their investment. This gives companies another defensive advantage because anything they do to increase the number of actions and add an extra step for attackers decreases their chances of getting attacked.

“Anything you do along the way that increases your defenses will decrease their offense because they want to get in and get out,” Basset said. “Let’s say it takes them an extra half hour. That’s 30 minutes they could have spent attacking other far easier targets. They’d much rather go after those other 10 because it’s a much greater value to them.”