Top 10 cybersecurity findings from Verizon’s 2023 data breach report

Statistics from 2022 and into 2023 show the cybersecurity industry has more work to do to people-proof attack vectors. Attackers are capitalizing on stolen credentials, privilege misuse, human error, well-orchestrated social engineering, business email compromise (BEC) and, doubling in just a year, pretexting. Every cybersecurity provider needs to step up efforts to improve identity, privileged access, and endpoint security to deliver the value their customers need. Organizations must move beyond training and act to provide a strong defense baseline. 

Attackers are finding new ways to dupe victims for dollars

Verizon’s 2023 Data Breach Investigations Report (DBIR) reflects how fast the threatscape is evolving to prey on people’s good nature. We often want to help colleagues, friends and family when they request cash or other forms of financial help. VentureBeat has learned of dozens of tech companies routinely attacked with pretexting as part of orchestrated social engineering attacks. The well-known gift card scam has become so commonplace that the Federal Trade Commission published guidance on how to avoid it. According to Internet Crime Complaint Center (IC3) data, the median theft amount for BEC has increased to $50,000.

More budget, more breaches 

One of the most powerful takeaways from the report is that despite increased spending, cybersecurity is not pivoting fast enough to protect people from advanced pretexting attacks. The answer to this challenge isn’t to double spending on training or, worse, continue the ineffective practice of trying to trick employees with fake phishing emails. 

Instead, companies would be more secure if they first assumed a breach would happen, then took preventative measures before one did. Getting basic cybersecurity hygiene right at scale and enforcing zero trust incrementally, protecting one surface at a time, is what cybersecurity expert John Kindervag advised organizations to start with during a recent interview with VentureBeat. Kindervag advised enterprises not to protect all surfaces simultaneously, but to opt instead for an iterative approach, telling VentureBeat that this is a proven way to scale zero trust without asking the board to fund a capital equipment-level investment.

10 key takeaways 

Attackers’ fine-tuned strategies are getting into victims’ heads and shortening the time from initial contact to when a target actually falls victim. Stolen privileged access credentials continue to be a favorite way for attackers to gain access to systems and blend into regular system traffic undetected. Verizon found stolen credential use increased from 41.6% to 44.7% of all breaches in just a year.

Here are the top 10 key takeaways of the Verizon 2023 DBIR:

Eighty-three percent of breaches are initiated by external attackers looking for quick financial gain. Organized crime gangs and networks initiate eight out of every 10 breaches, 95% of the time for financial gain. Smash-and-grab attacks on customer and financial data are commonplace, with ransomware the weapon of choice.

The financial services and manufacturing sectors top attackers’ hit lists, as these businesses must deliver products and services on time to keep customers and survive. And people have become the initial threat surface of choice, with pretexting, coordinated with social engineering, the initial attack strategy. 

Eighty-four percent of breaches target humans as the attack vector, using social engineering and BEC strategies. According to the last two Verizon DBIR reports, many breaches involve human error. According to this year’s report, 74% of breaches began through human error, social engineering or misuse. In last year’s report the figure was an even higher 82%. But the year before that, the 2021 DBIR found that just 35% of successful breaches started that way.

One out of every five breaches, 19%, originate from the inside. CISOs tell VentureBeat that insider attacks are their worst nightmare because identifying and stopping these kinds of breaches is so challenging. That’s why leading vendors with AI and machine learning expertise have insider threat mitigation on their roadmaps. Booz Allen Hamilton uses data mesh architecture and machine learning algorithms to detect, monitor and respond to suspicious network activity. Proofpoint is another insider threat detection vendor that uses AI and machine learning. Proofpoint’s ObserveIT gives real-time alerts and actionable insights into user activity.

Several vendors are either exploring or have acquired companies for strengthening their platforms against insider threats. An example is CrowdStrike’s acquisition of Reposify last year, announced at CrowdStrike’s annual Fal.Con event. Reposify scans the web daily, searching for exposed assets to give organizations visibility over them, and defining the actions they need to take to remediate them. CrowdStrike plans to integrate Reposify’s technology into the CrowdStrike platform to help customers stop internal attacks.

System intrusion, basic web application attacks and social engineering are among the leading attack strategies. Two years ago, in the 2021 DBIR Report, basic web application attacks accounted for 39% of breaches and were 89% financially motivated. Phishing and BECs were also prevalent and financially motivated (95%) that year. In contrast, this year’s 2023 Verizon DBIR found that system intrusion, basic web application attacks and social engineering accounted for 77% of information industry breaches, most of which were financially motivated.

The trend of increased web application attacks is increasing, as evidenced by the growth seen in just two years of data from Verizon. This underscores the need for more effective adoption of zero-trust-based remote browser isolation (RBI) across enterprises. Leading vendors in this area include Broadcom/Symantec, Cloudflare, Ericom, Forcepoint, iboss, Menlo Security, MacAfee, NetSkope and Zscaler.  Ericom’s ZTEdge, for example, uses web application isolation as a clientless zero trust network access (ZTNA) approach that secures BYOD and unmanaged device access to corporate web and SaaS apps.

System intrusion is an attack strategy used by more experienced attackers with access to malware to breach enterprises and deliver ransomware. Last year’s Verizon DBIR showed system intrusion to be the top incident category, replacing basic web application attacks, which was the top incident category in 2021.

Social engineering attacks’ sophistication is growing fast, as evidenced by pretexting’s rapid growth. This year’s DBIR highlights how profitable social engineering attacks have become and how sophisticated pretexting is today. BEC and pretexting attacks have nearly doubled across the entire incident dataset and now account for more than 50% of social engineering incidents. In comparison, the 2022 Verizon DBIR found that social engineering attacks were responsible for 25% of breaches. In 2021, Verizon found that BECs were the second most common type of social engineering, and misrepresentation has grown 15 times higher over the past three years.

Ninety-five percent of breaches in 2023 are financially driven, countering the hype about nation-state espionage. As attackers hone their social engineering tradecraft, the percentage of financially motivated breaches increases. Trending data from previous reports show how financial gain is growing as a primary motivation over corporate espionage or revenge attacks by former employees. The 2022 Verizon DBIR had found that 90% of all attackers initiated a breach for financial gain, up from 85% in 2021.

The jump can be attributed to higher potential ransomware payouts, combined with multi-attack strategies with a higher probability of success. There’s also the possibility that espionage attacks aren’t being detected as much due to attackers knowing how to steal privileged access credentials and breach networks undetected for months.

The median cost to victims per ransomware incident more than doubled over the past two years to $26,000, with 95% of incidents resulting in a loss of between $1 and $2.25 million. Ransomware payouts continue to set records as attackers go after the industries with the most to lose from shutdowns. It’s not surprising to see financial services and manufacturing among the hardest-hit industries, as this year’s DBIR reports.

For the 2021 DBIR, Verizon used FBI data and found that the median ransomware payout was $11,150. In 2020, ransomware payouts had averaged $8,100, and that was up from just $4,300 in 2018. So in five years, average ransomware payouts have tripled.

Twenty-four percent of breaches involved ransomware this year, continuing its long-term upward trend as a primary attack strategy. Ransomware was discovered in 62% of all incidents committed by organized-crime attackers and 59% of all incidents with a financial goal in the 2023 DBIR. Verizon’s 2022 analysis had found ransomware breaches jumping 13% from the previous year. Continuing the trend and gaining momentum, ransomware attacks more than doubled between 2022 and 2023, rising from 25% of all data breaches to 62% this year.

Over 32% of all Log4j vulnerability scanning occurred in the first 30 days after release. Verizon’s latest DBIR found that exploits peaked 17 days after attackers discovered a flaw. The quick exploitation of Log4j vulnerabilities shows why organizations must respond faster to new threats. They must prioritize patching and updating systems as vulnerabilities are discovered. This includes applying all software and system security patches. A robust vulnerability management program can help organizations identify and fix vulnerabilities before attackers can exploit them.

Seventy-four percent of financial and insurance industry breaches involved compromised personal data — leading all industries by a wide margin. In comparison, other industries experienced significantly less personal data being compromised: 34% of accommodation and food services industry breaches were the result of compromised personal data, and for the educational services industry, the figure was 56%.

Attackers frequently target financial institutions with credential and ransomware attacks, which explains why the industry leads all others in compromised personal data attacks.

Looking back, in aggregate across all industries, 83% of 2021 breaches were the result of compromised personal data. And in the 2022 Verizon DBIR, web application attacks, system intrusion and miscellaneous errors caused 79% of financial and insurance breaches. 

Cybersecurity spending is a business investment in trust 

This year’s DBIR provides a stark reminder of how attackers are changing the threatscape with pretexing and advanced forms of digital fraud. The report’s main finding is that, despite increased cybersecurity spending, breaches are becoming more frequent and sophisticated, highlighting the need for a more integrated, unified approach to cybersecurity that doesn’t leave identity security to chance. 

Unsurprisingly, 24% of breaches involve ransomware, showing that attackers are increasingly targeting industries with the most to lose from business interruptions. Ransomware incidents have increased in cost, making backup and incident response strategies more necessary to minimize damage. The DBIR’s report on the Log4j vulnerability’s rapid exploitation highlights the need to act quickly to address new threats, in part by speeding up patching and system updates.

In conclusion, the Verizon 2023 DBIR report emphasizes the need for organizations to rethink their cybersecurity strategies. They must consider human factors, including insider threats, and how fast attack strategies evolve. Enterprises must create a cybersecurity culture that goes beyond IT departments, one that promotes vigilance, resilience and constant adaptation to evolving threats.