Verizon recently released its latest “Data Breach Investigations Report” (DBIR), offering the latest insights into how threat actors are operating and who they’re targeting, and which attack methods are delivering results. This is the 15th annual DBIR, and the report kicks off with an acknowledgement of how “extraordinary” the past year has been, especially when it comes to cybercrime.
The report’s authors write: “From very well publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”
That statement no doubt hits home with most security pros—and we certainly know our customers have been busy trying to shore up their organization’s defenses against a rising tide of business email compromise (BEC) campaigns, ransomware attacks, data breaches, and more.
In this post, we’ll take a look at a few key findings from the 2022 DBIR to help you assess the challenges and opportunities ahead for your organization as you work to build a sustainable security culture and drive positive behavior change among your users.
The Dataset
This year, Verizon analyzed 23,896 incidents across roughly 20 different industries that occurred during the time frame for analysis—from November 1, 2020, to October 31, 2021. Of those incidents, 5,212 were confirmed data breaches.
The 2022 report also marks the third year that Verizon has analyzed incidents and presented them from a macro-region perspective to provide “a more global view of cybercrime.” (See the “Introduction to Regions” section in the DBIR for details on this approach.)
Key finding #1: 82% of breaches involved a human element
This might be considered a positive trend if the percentage still weren’t so terribly high. In last year’s report, this figure was 85%. The DBIR’s authors note that changing human behavior is what’s needed to help lessen the role of the human element in driving breaches—but they also acknowledge that doing so is “quite an undertaking” for organizations.
Figure 1. The human element in breaches (n=4,110); each glyph represents 25 breaches. (Source: 2022 DBIR.)
Targeted and data-driven security awareness training for users is a must, of course. Even more critical is adopting a people-centric security strategy, which can help your organization manage security risk more effectively by focusing on threats that target and exploit people.
A people-centric approach to security helps you understand how your people are targeted by threats, how they work in high-risk ways and how they can access valuable data. Developing this approach includes identifying the Very Attacked People™ (VAPs) in your organization. Once you understand the threats they face, and how they are being targeted by attackers, you can implement appropriate controls that will protect them—and your business.
To learn more about creating a people-centric security program, and how Proofpoint can help set up and manage your program, see this page.
Key finding #2: Ransomware breaches increased 13% in 2021
Maybe that doesn’t sound like much, until you consider that this increase is as big as the last five years combined, Verizon reports. Also, these attacks can be very costly and disruptive for organizations—not to mention society when critical infrastructure is the target.
Figure 2. Ransomware over time in breaches. (Source: 2022 DBIR.)
However, the DBIR does offer a reminder that ransomware is “at its core, simply a model of monetizing an organization’s access”—and you can reduce your exposure to these attacks by blocking what the report refers to as “the four key paths” to your security estate: credentials, exploiting vulnerabilities, botnets and phishing.
Research Proofpoint conducted for our “2022 State of the Phish” report found that 78% of organizations experienced email-based ransomware attacks in 2021. Our threat researchers also identified 15 million phishing messages with malware payloads that have been directly linked to later-stage ransomware.
Improving your email defenses and providing effective security training can go a long way toward reducing your organization’s exposure to phishing. Proofpoint Email Protection can help on both fronts. It’s an industry-leading email gateway that catches both known and unknown threats—and it lets you automatically tag suspicious email to help raise user awareness.
Get details about Proofpoint Email Protection here.
Key finding #3: 62% of system intrusion incidents can be tied to supply chain breaches
Like ransomware attacks, supply chain incidents are increasing. And, as the 2022 DBIR underscores, “compromising the right partner is a force multiplier for threat actors.”
DBIR defines supply chain breaches as a sequence of one or more breaches chained together—and one example of a breach that could launch such a sequence is “a breach where a partner is compromised and either a set of credentials or some trusted connection is used to gain access.”
Figure 3. Partner vector in system intrusion incidents (n=3,403); each glyph represents 25 incidents. (Source: 2022 DBIR)
BEC attacks are a method of compromise that take advantage of the complexity of an organization’s supply chain. Attackers use BEC scams, which rely heavily on social engineering tactics and include supplier invoicing fraud, to target vendors and other third parties an organization does business with. And, if the attackers succeed at compromising and impersonating trusted vendors, then they’re likely well on their way to compromising other entities in the supply chain.
Speaking of phishing scams: It’s worth noting that phishing still dominates among social engineering attack techniques, according to the DBIR. The report’s authors write, “If you wonder why criminals phish, it is because email is where their targets are reachable.”
Figure 4. Action varieties in social engineering breaches (n=1,063). (Source: 2022 DBIR)
The DBIR’s findings also complement research for the “2022 State of the Phish” report from Proofpoint, which found that phishing attacks, including hyper-targeted campaigns like BEC and spear phishing, were up across the board in 2021, compared with 2020.
Proofpoint has an end-to-end solution to help your organization address BEC threats, which are sophisticated and use multiple tactics and channels. Visit our email fraud defense page to learn more—and take our free assessment to gauge your organization’s preparedness for these attacks.
Keep on reading—there’s more to learn
Today’s threat landscape is dynamic and complex, and to keep pace, security pros need to stay on top of the latest industry research. So, in addition to reviewing the latest DBIR report from Verizon, we encourage you to check out these resources from Proofpoint:
- “2022 State of the Phish” (report)
- “Beyond Awareness Training” (e-book)
- “2022 Voice of the CISO” (report)
Also, don’t miss our webinar on June 9, where we’ll present key findings from “The Human Factor 2022” report, the industry’s most comprehensive analysis of people-based security risk. You can register here.
And to find out more about how Proofpoint can help you make the most of your cybersecurity budget and create a strong security culture where users are proactive defenders, contact us.