Verizon recently released its 17th annual Data Breach Investigations Report (DBIR), which analyzed a record-high 30,458 global security incidents and 10,626 confirmed breaches in 2023 — a two-fold increase over the prior year.
“Exploitation of vulnerabilities” in IT systems, such as unpatched networks, almost tripled during 2023 and accounted for 14% of all breaches. One of the largest drivers of this increase was a vulnerability hackers exploited in the MOVEit software – a product used to encrypt and transfer files – that allowed cybercriminals to launch ransomware attacks, first in the education sector and later spreading to finance and insurance industries.
Another key takeaway from the report is that human error continues to cause 68% of data breaches. Phishing – a practice that tricks unsuspecting users into revealing confidential data such as passwords or financial information – remains a major threat.
The rise of artificial intelligence (AI) was less of a culprit compared to challenges in large-scale vulnerability management in 2023, the report said.
“While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach,” said Chris Novak, Sr. director of Cybersecurity Consulting, Verizon Business.
Analysis of the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog revealed it takes organizations an average 55 days to remediate 50% of critical vulnerabilities once patches are available. Meanwhile, the median time for detecting mass exploitations of the CISA KEV on the internet is five days.
“This year’s DBIR findings reflect the evolving landscape that today’s CISO’s must navigate – balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,” said Craig Robinson, Research Vice President, Security Services at IDC.
“The breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises,” he said.
Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric — new for the 2024 DBIR — shows a 68% increase from the year before.
The human element continues to be the front door for cybercriminals, the report said.
Most breaches, whether they include a third party or not, involve a non-malicious human element – a person making an error or falling prey to a social engineering attack. This percentage is about the same as last year.
One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.
“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,” Novak said.
Other key findings from this year’s report include:
- 32% of all breaches involved some type of extortion technique, including ransomware.
- Over the past two years, between 24% and 25% of financially motivated incidents involved pretexting, a social engineering technique that manipulates unsuspecting victims into divulging information.
- Over the past 10 years, the use of stolen credentials has appeared in almost one-third (31%) of all breaches.
- Espionage attacks continue to dominate in Asia-Pacific region, where 25% of cyberattacks are motivated by espionage. In Europe and North America, attacks motivated by espionage are significantly lower, 6% and 4%, respectively.
