Verizon's annual Data Breach Investigations Report (DBIR) is launched today and as always provides valuable insight into the cybersecurity challenges faced by organizations. We all know that 2020 was a year like no other. Phishing and ransomware were the most "successful" of the threats, up 11% and 6% respectively. However, the rapid innovations that many organizations made in 2020 did not always address information risk and security upfront, leading to further opportunities for compromise by malicious threats.
Innovation Drives Threats
Omdia's annual ICT Enterprise Insights survey, last undertaken in mid-2020, found that the transformation of customer experience is the leading technological impact of COVID-19, with 34% describing it as "significantly more important", and a further 42% as "more important" (n=4,961). This is because innovation must continue and many organizations have evolved and even changed the way they do business, with customers at the heart of that business (public and private sector alike).
Of course, expanding an organization's digital footprint doesn't come without risk. Such was the speed of business innovation at the height of the pandemic that reviewing and mitigating security risks relating to this transformation were lower on the agenda than they might be in more stable times. Hyperscalers (e.g. Amazon Web Services, Microsoft Azure, and Google Cloud Platform) have improved the default security settings on their services to reduce the opportunity for "rookie" mistakes by customer organizations. For example, S3 buckets are now private by default and have to be made public by the customer organization (the default "public" setting led to the high-profile Capital One breach back in 2019).
The 2020 DBIR has found that cloud-based assets more commonly suffered a breach compared to on-premises assets. The acceleration to cloud in 2020 is highly likely to have contributed to this; use of the hyperscalers is more common than it was, and the lack of skilled cloud security specialists means that mistakes can be made, despite the improvements referenced above. Of course, the rise in the use of cloud also means that there are fewer on-premises assets to be compromised. "Machines" are not inside the network anymore, and although this has been the case for some time, the acceleration in 2020 has made the security aspects more difficult to control.
Phishing Has Been Hitting the DBIR Headlines for Years
2020 was no different in one respect: phishing remains popular. This method of attack was up from 25% of attacks in 2019 to 36% in 2020. Furthermore, the DBIR found that the human element was present in a huge 85% of breaches covered in the report, and the fact that humans are involved in so many breaches shouldn't be a huge surprise. Misconfiguration of cloud services has a human at the source of the compromise. Clicking on phishing emails, likewise.
One of the fascinating insights from the DBIR this year is a study of 1,148 people who received real and simulated phishes. None of them clicked the simulated phish but 2.5% clicked the real phishing email. This shows that the simulations need to improve to the level of the real phishing emails; furthermore, organizations must double-down on their efforts to evolve security training from a once or twice-yearly tick-box exercise to continuous cybersecurity education that focuses on changing user behavior and building a more aware and security-positive culture.
Time to Get a Grip on Ransomware
Throughout 2020 ransomware was hitting the headlines, so it is no surprise from the 2020 DBIR that this has risen too, although the number was initially a surprise, at "just" 6%. However, the DBIR only reports successful ransomware attacks, and furthermore does not cover all attacks by any means, only the ones Verizon has investigated. Nevertheless, the continued rise in ransomware should be a reminder to all organizations that it is an omnipresent threat: ransomware is now third on the Verizon list for actions causing data breaches.
The lack of organizational preparedness for a ransomware attack is a concern. Dark Reading is running a snapshot poll on confidence in organizational plans for responding to a ransomware attack, and just 26% are confident that the business would continue to operate efficiently (n=593). This leaves almost three-quarters of organizations with holes in their plans, or even no plan at all.
If an organization does suffer a ransomware attack, it's not only a matter of deciding whether to pay up. Unsurprisingly, paying up does not guarantee data will be returned to the organization, or that the data won't be published or sold on the dark web. Furthermore, depending upon where the company is registered, paying up could be illegal. The US Treasury Department's Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, stating that "companies that facilitate ransomware payments… not only encourage future ransomware payment demands but also may risk violating OFAC regulations."
Paying the ransom could result in a fine or disapproval from authorities. Not paying the ransom could result in a fine in terms of data privacy regulations or disapproval from authorities, in addition to loss of control over the ransomed data. It's clearly a no-win situation. The answer? Be prepared and develop a plan covering three legs of a response strategy: protection for critical data, rapid response, and organizational learning.