With the release of Verizon’s 2021 Data Breach Investigation Report (DBIR) on May 13th, there’s a lot of new information out there about how the industry has shifted over the last year as industries have adjusted to the new normal. Focusing extensively on data breaches and security incidents, Verizon’s DBIR goes into detail about the actors, methods, outcomes, and overall trends associated with data breaches over the past few years. Here are our key findings from the report.
Threat Actors and their Motivations
Verizon has showed that Organized Crime continues to be the dominant threat actor in play, with an 80% share in the 2,227 breaches identified by the report. This makes sense given that Verizon tracked further increases in financially motivated cybercrime over the sharp spike in 2019, as cyber espionage has continued to fall following its spike in 2016 and 2018. Interestingly this corresponds to the US election cycle, indicating a possible correlation between cyber espionage and internationally significant elections.
Most Targeted Industries
The report contains tons of information relating to multiple specific industries, but what is most interesting here is the big picture. According to the report, the industries with the greatest number of security incidents are the Entertainment industry (24%), the Public sector (11%), and the IT sector (10%). It’s worth noting here that significant amount of the attacks mentioned here are attributed to “unknown” industries (29%). For breaches the numbers are quite different, as the industries with the highest number of breaches are the public sector (17%), the Professional Service industry (12%), the Healthcare industry (9%), and finally the Financial sector (9%). This disparity between incidents and verified breaches could be attributed to many things, but I would hazard a guess that as security incidents include denial of service attacks, entertainment companies would be more likely to be on the receiving end of a DoS attack than others.
Top Activities in Breaches vs Incidents
Another useful indicator tracked in the DBIR are the actions undertaken in identified breaches and incidents, which gives us a clearer idea of what the leading attack methods are for the year. The DBIR attributes 38% of breaches to phishing attacks, 23% to stolen login credentials, 17% to “other”, and 10% to ransomware. Understandably, this analysis tracks similarly for incidents with one glaring exception; Denial of Service attacks make up the vast majority of incidents tracked. About 60% of the 24,000 incidents tracked were attributed to denial-of-service attacks. Interestingly, after denial-of-service attacks the ranking tracks similarly to that of data breaches; Phishing, “other”, then ransomware.
Most sought after data types
The DBIR tracks two key data points here, the types of data sought after by malicious actors in data breaches and the data types that are typically leaked in “error” related breaches (such as misconfigured servers and misdelivery). According to Verizon, 60% of data breaches target user credentials, 40% target personal data, and 12% target medical information. Among error-related data breaches, personal data is the most frequent offender making up 80% of the error breaches, with medical information falling behind at 18%, then by credentials at 12%.
Most Targeted Assets
One of the most interesting entries in this report is the breakdown of assets involved in breaches and security incidents. Contrary to popular belief in industry expectations for 2021, there hasn’t been the huge shift in focus towards targeting end user devices that many predicted. The report found that servers account for over 80% of assets involved in security incidents and roughly 90% of breaches, with users and user devices both significantly behind servers. Users are involved in around 15% of incidents and almost 40% of breaches, while user devices are only involved in 10% of incidents and 8% of breaches. Verizon attributes this to increases in social engineering attacks that account for the prevalence of user-related breaches and incidents in the report.
There is far more in the report than what we have covered here, but these are what we feel are the biggest takeaways. Some of these findings are surprising, but not necessarily groundbreaking. The biggest surprise here was the above-mentioned lack of end user asset targeting. Many believed that the combination of companies moving to a distributed workflow with remote collaboration and peoples’ tendency to practice riskier cyber hygiene practices in a home environment would lead to a shift in attacks against end user devices, but the DBIR found an insignificant change over the 2020 report. Overall, Verizon’s DBIR has a lot of thought-provoking material that tells us a lot about the overall state of the industry.