Thursday, May 2, 2024
The report, Verizon's 17th in as many years, analyzed a record-high 30,458 security incidents and 10,626 confirmed breaches in 2023 – a twofold increase over 2022.
The exploitation of vulnerabilities as initial points of entry nearly tripled, accounting for 14 percent of all breaches last year. This spike was driven primarily by the increasing frequency of attached targeting vulnerabilities on unpatched systems (known as zero-day vulnerabilities) by ransomware actors, Verizon Business reported.
The Moveit software breach was one of the largest drivers of these cyberattacks, first in the education sector and later spreading to the finance and insurance industry.
The Moveit breach began in June 2023 after a weak link was discovered in Moveit, widely used file transfer software. Victims of the attack are still coming forward, according to published reports, so the exact scope of the attack remains unknown.
"The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises," said Chris Novak, senior director for cybersecurity consulting at Verizon Business.
Add to Moveit, social engineering and the failure of firms to patch vulnerabilities in a timely manner and you account for the majority of data breaches last year. Interestingly, and possibly a relief to many, the rise of artificial intelligence posed less of a problem compared to large-scale vulnerability management, according to Novak.
"While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach," Novak said.
Analysis by the Cybersecurity Infrastructure and Security Agency, the federal agency that oversees cybersecurity for critical infrastructure, revealed that on average it took 55 days to remediate 50 percent of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting mass exploitations is five days.
"This years' DBIR findings reflect the evolving landscape that today's CISO's must navigate – balancing the need to address vulnerabilities quicker than ever before while investing in continuous employee education as it relates to ransomware and cybersecurity hygiene," said Craig Robinson, research vice president at the market intelligence firm IDC. "The breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises."
In 2023, 15 percent of breaches involved third parties, including data custodians.
But most breaches, whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This percentage was the same in 2023 as it was in 2022, Verizon said. One potential countervailing force is the improvement of reporting practices, Verizon said, adding that users are more inclined to report phishing attempts.
"The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce," Novak said.
Additional data points from the Verizon report include:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.