Three-quarters of all data breaches observed in the past year included a significant element of human failure, with social engineering attacks involving pretexting – i.e. the invention of a scenario by a threat actor that tricks someone into giving up data or otherwise causing a breach – on the rise, and now accounting for half of all social engineering attacks, including business email compromise (BEC).
This is one among many headline findings in Verizon’s mammoth annual Data breach investigations report (DBIR), released 6 June, and which Chris Novak, managing director of cyber security consulting at Verizon Business, described as “one of the most staggering changes we’ve seen year on year”.
Novak said that senior business leaders were particularly at risk of falling victim to this sort of attack, and as such represent a growing security threat for many organisations. “Not only do they possess an organisation’s most sensitive information, they are often among the least protected, as many organisations make security protocol exceptions for them,” he said.
“With the growth and increasing sophistication of social engineering, organisations must enhance the protection of their senior leadership now to avoid expensive system intrusions,” added Novak.
“When you look at the grand scheme of social engineering, the reason we see this increasing is because it’s a relatively easy thing for a threat actor to throw out there and try to hit a lot of organisations with,” Novak told reporters during a pre-briefing session attended by Computer Weekly.
“This ties back to being financially motivated – most of these events are about fraudulent movement of money and, typically, that results in them getting paid very quickly.”
Indeed, based on data contributed by the FBI’s Internet Crime Complaint Center (IC3), Verizon said that the median amount stolen in a BEC attack has doubled over the past year and now sits at $50,000 (£40,400). This likely contributed to the growth in pretexting incidents.
“Globally, cyber threat actors continue their relentless efforts to acquire sensitive consumer and business data. The revenue generated from that information is staggering, and it’s not lost on business leaders, as it is front and centre at the board level,” said IDC research vice-president Craig Robinson.
The research team added that the fact many organisations continue to rely on distributed workforces added to the challenges faced by defenders in creating and, crucially, enforcing human-centric security best practice.
Verizon’s team of experts analysed over 16,300 security incidents and almost 5,200 confirmed breaches to compile this 16th edition of the DBIR. The data relates to activity that occurred between 1 November 2021 and 31 October 2022.
Other significant findings in this year’s report include new insight into the cost of ransomware incidents, which has more than doubled since 2021. According to data provided by the IC3, the median loss in a ransomware incident stands at $26,000, and in 95% of incidents where losses occurred these losses were between $1.00 and $2.25m, Verizon revealed.
It is important to point out that not all ransomware incidents – under 10%, in fact – incurred losses, and it is worth noting that when adjusting for inflation, the median cost has actually dropped quite significantly.
Additionally, said Novak, Verizon has observed the number of ransomware attacks as a percentage of all incidents and breaches levelling off over the past 12 months, although he added that this was not necessarily a reason to get excited.
“What I believe is leading to this levelling off is not that we’ve got better, but that the threat actors have reached a point of saturation. They typically need people and tools to conduct their actions and they reach a point where they don’t have enough people to hit [their] targets, or their tools are getting stale,” he explained.
“If we see they are able to recruit more, or innovate and evolve their tools, there’s a risk this will start picking up again. It’s important for organisations to understand we can’t look at this stat and say we can focus on something else because ransomware is going away – we will see an upward trajectory again in the future, unfortunately,” added Novak.
The full report, which is available now to download, contains additional insight into the nature of security incidents and breaches, including new data on how malicious actors get into their victims’ networks to begin with and what motivates them to do so. As usual, it also breaks out breach and incident data by region and by industry.
The 2023 DBIR additionally looks back over some of the most significant incidents seen during its focus period – including Log4j – which first came to light at the end of 2021 and has since become one of the most widely exploited vulnerabilities ever seen. In 90% of breaches that began with a vulnerability exploitation in the past 12 months, that vulnerability was Log4j, said Verizon.