Verizon have released their annual Verizon Data Breach Investigations Report (DBIR) 2020, analysing almost one hundred and sixty thousand incidents and just under four thousand confirmed data breaches.
Mishcon de Reya are a regular contributor to this report and therefore the trends identified include those incidents which we help our clients to manage. As always, the report is recommended reading for those managing cyber risk.
Find our key takeaways below.
External threats are the big threats
While the insider threat is sometimes claimed to be the most significant issue businesses face, it’s external parties who pose the biggest threat to your business. This isn’t to say the insider threat can be ignored, but 70% of breaches reviewing in the DBIR were perpetrated by external actors.
In the past year we have assisted with incident management and post-incident reviews that included suggestions of insider threat activity. With one exception, these incidents were always traceable back to external attackers.
Attackers follow the money
As with previous years, most breaches reviewed – 86% of them – were financially motivated. Every year we see a steady increase in financial cyber crime, with little being done to tackle it at a national level.
Financially motivated attacks are an ongoing issue in the UK: reporting is infrequent, in part because of a perception that police response will be minimal, particularly where the amounts lost are small in the context of a large business. However, it is often overlooked that those relatively meagre numbers can be a major blow for small businesses and for individuals.
In our experience the first 24 hours after a financial cyber crime incident are key to successful recovery of the funds. Worryingly ‘following the money’ is often not a part of Incident Response plans.
It’s not always rocket science
The image of a hoodie wearing hacker launching sophisticated malware to exploit highly technical vulnerabilities in software persists and makes for passable cinema but, in reality, attackers are focusing more and more simple attacks such as the abuse of account credentials.
This makes sense: why would attackers spend their time and money crafting complicated exploits when stealing or guessing credentials brings the same profits for less effort?
Credential theft and stuffing attacks have been a regular feature of the incidents we have been asked to help our clients with over the past year. Protecting against attacks like these with tools like two-factor authentication may not be perfect, but they can make a considerable difference and help to remove your organisation from the ‘low-hanging fruit’ list that attackers hit first.
Attackers like an easy life
Cyber attackers prefer an easy attack to a complex one. Detailed attack path analysis in the DBIR highlighted the finding that adding one or two hurdles for an attacker can make a significant difference. An attacker motivated by money rather than your specific data will move on to an easier target if you’re judged to be difficult.
The mantra of ‘defense in depth’ is sometimes overused in our industry. During several incidents that we have helped managed multiple layers of defence could have made a significant difference.
We recommend focusing directly on the specific tools and tactics from threat intelligence. We often use threat intelligence to help us complicate attacks for attackers. By identifying the priority steps in attack chains used in similar incidents we can increase attack complexity and push their attackers off to ‘softer’ targets.
External applications are still a weakness
Web applications are a fundamental element of modern business, and in many cases are the core conduit for services to clients, so it’s worrying to see that 43% of breaches involved web applications. We have dealt with incidents where external applications such as support or ticketing are simply used to send phishing links, but here the problem runs much deeper.
We still see multiple examples every year of insecurely developed applications This emphasises the need to secure web application development. The move to more agile development and rapid deployment continues but omitting security or paying it lip service can come back to bite you. There is also a need to ensure that modern and secure practices are applied to legacy systems or those that become part of an organisation through M&A activity.
The integration of security in modern development lifecycles is critical but needs to be undertaken in a cost-sensitive way that empowers teams rather than constraining them. The migration to a new model doesn’t have to be cost-prohibitive or obstructive, but it does need buy-in that we have seen some of our clients struggling to achieve. This trend is reflected in the DBIR numbers.
The first step in securing your business is knowing what your weak spots are in an ever-changing threat landscape, then putting in place the practical steps that drive the most impact.
Get in touch with us at MDR Cyber if you’d like to discuss what the right options are for your business at cyber@mishcon.com.