2019 Data Breach Investigations Report

It’s here! The 2019 Verizon DBIR has just been released. If you want to better understand the biggest drivers of incidents and breaches and how they impact you and your organization, this is your go-to source. It is one of the world’s most respected and trusted data driven sources on security incidents and breaches today.  

The Verizon DBIR enables you to make data driven decisions, not decisions driven by emotion or impulse. The Verizon team is able to execute this by collecting data on real incidents every year from organizations around the world. Their team analyzes and crunches that data to publish this annual report. This year, they’ve aggregated data from over 40,000 incidents and 2,000 breaches. I found this year’s report one of the best, as it was easy to read, it provided key points, and concise visuals and graphs that I could easily follow.  

If you are new to the report, I recommend you start with the introduction (pages 01-08), then jump to the section specific to industries, which starts on page 31. From there, you’ll find and can analyze risks unique to your industry.

I think the largest take-away from this year’s report are the touch points on phishing and credentials (i.e. passwords), which continues to be the biggest drivers in bad stuff happening. In addition, the human overall proves to be growing player in incidents and breaches. Security is no longer just about technology; organizations have to address the human risk factor. 

Here‘s my overall conclusion of the human risk perspective. I reference specific figures in the report so that you can reference or leverage them for your own research and uses:

  • Human:  The human element is the fastest growing driver in breaches today.  We see this in Figure 09, as it identifies the top threat actions in data breaches. The only two that have grown in the past 7 years were both human based, Error (up 5%) and Social Engineering attacks (up 18%). This figure can be used to help your leadership better understand the critical need for training people, as awareness is one of the few controls that helps manage both accidental and deliberate threats at the same time.  
     
  • Errors: Accidents continue to be a large and growing risk. I bring this up because I see so many organizations and awareness programs focusing on just deliberate threats, thus underestimating accidental risk. That is why I LOVE this report, it gives us hard data, and hard data says we needto address mistakes. Figure 3 of the report indicates that 21% of all breaches were due to people making simple mistakes, the second largest of the nine incident classification patterns (Figure 36).  Sometimes we get so caught up in the whole APT thing we forget that something as simple as auto-complete in email can be a big risk (Figure 24). Think about it: Just teaching people to double check the TO: address in their email draft before hitting the “send” button could reduce almost 10% of all breaches globally.
     
  • Phishing: Phishing continues to be one of the top two ways cyber criminals are getting into systems, a second behind passwords. In Figure 12, we see phishing as the top threat action for breaches. While this is no surprise to most of us, what the report also proves is that security awareness training works. I’m continually amazed when people say you can’t patch the human, change behavior, or that training simple does not work. Figure 21 indicates the click rate in phishing simulations have dramatically dropped over the past 7 years, from an average click rate of 25% to just 3%. That is amazing. While “artificial intelligence” might be the buzzword in cybersecurity these days, don’t discount real intelligence. (For those of you clamoring that a 3% click rate is still bad, think again: A goal of zero percent click rate actually does far more harm than good.)
     
  • Passwords: Passwords continue to be the other weak link. Passwords are often compromised when people use bad or easily detectable passwords, or they victim to phishing or malware attacks which end up compromising their passwords.  You can see this in Figure 12 in top threat actions, in Figure 13 where stolen credentials are the number one hacking action, or in Figure 36 where web applications is the number one incident categorization. The category “web applications” can be misleading, as you may be thinking bad code that got hacked via Structured Query Language (SQL) injection. The vast majority of incidents in this category are actually credential based.  Bad guys compromised someone’s password and got in using their credentials. On page 25, the reports states, “Over one half of breaches in this pattern are associated with unauthorized access of cloud-based email servers.” Long story short, we need to continue to address the password challenge. We need to make strong passwords easy for people. Kill password complexity and password expiration. Instead, emphasize unique passphrases for every account and enable this behavior by providing password managers and training people on them. Even better, have people enable Multi-Factor Authentication (MFA) whenever possible.  We have to stop blaming people with credentials and start enabling them.
     
  • FMSE: CEO Fraud has become such a big driver of incidents that the Verizon DBIR has given it it’s own name: Financially Motivated Social Engineering Attacks (FMSE). Think phishing, but with no malicious links or infected attachments. Instead, the end goal is to trick an individual or organization into transferring money. What is interesting in this year’s report, is the Human Resource / W2 CEO Fraud scams were down 6x. Bad guys have found it’s far easier to simply ask for money than to commit tax fraud with stolen W2 forms. The good news is that if organization’s detect the fraud in time, they can get their money back. On page 29, the report states, 

    When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered.”  

    This is a great example of where detection and response is just as valuable as prevention. Continue to develop the human sensor.
     
  • Attack Paths: The DBIR this year introduced something new: attack paths. This is very exciting, as they attempt to document the steps used in an incident/breach. In other words, they are not taking just static snapshot, but looking at the entire life cycle of an incident. Think: Cyber Kill Chain, but from a Threat Intel perspective. I’m looking forward to seeing this section grow in the coming years.

     

Overall the Verizon DBIR is a powerful report you should be using.  It enables you to make data driven decisions in your security awareness program. Leveraging reports like these can further develop your credibility with leadership.  If you have something you found interesting or useful in the report, please share with me! There is so much rich data packed in here, so I’m sure I missed some gems.  Finally, shouts out to the Verizon DBIR team and all the good work they do. Be sure to thank them on Twitter at @VZDBIR.

NOTE: For a report like this, terms are key.

  • Event: Something happened.
  • Incident: Something bad happened.  The Verizon DBIR terminology is “A security event that compromises the integrity, confidentiality or availability of an information asset. “
  • Breach: A type of incident where the bad guys got your data.  The Verizon DBIR terminology is “An incident that results in the confirmed disclosure-not just potential exposure-of data to an unauthorized party.” 

(Example, a DDOS attack is an incident, but is not a breach as there is no loss of data.)

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.
Article
Myths About Training a Millennial Workforce
When applying adult learning methodologies to your security awareness training strategy, there’s a myriad of factors to keep balanced. In fact, understanding the psychology of learning...
Thumbnail
Sep 26, 2019
Article
2019 SANS Security Awareness Summit: Recap
We just wrapped up the 2019 SANS Security Awareness Summit in San Diego, California. Over 300 security awareness professionals came together from across the globe to learn from and share with one another other. Simply put, it was amazing! Awareness folks are some of the friendliest, passionate, and most interactive people I’ve known. In this post, I want to share with you some thoughts, lessons learned, and key takeaways from this year’s event.
Thumbnail
Aug 29, 2019