It’s that time of year again! The telecoms and mobile security conglomerate Verizon has released its annual Data Breach Investigation Report (DBIR) – an in-depth report with some of the best insights into security and malware that you’ll find.
This year’s findings are collated from over 5,000 data breaches around the world that occured in 2021. As always, the DBIR is a meaty, mighty read. So if you want the ‘TL; DR’ version, you’ve come to the right blog!
Let’s dive in.
- The ‘human’ element is a huge factor in data breaches
The research found that the human element accounted for 82% of intrusions in 2021. Verizon defines the human element as anything involving the following:
- Errors: Mistakes made by employees that allow cyber-criminals to access sensitive data. A prime example of this would be a misconfigured cloud instance that is set to public. This accounted for 13% of all data breaches.
- Privilege misuse: The use of stolen credentials to log-in to employee accounts.
- Social engineering: Incidents where employees fall for scams like phishing or SMS-ishing.
This is a pretty sobering finding. Any security guy knows that the ‘human factor’ has been a major player in data breaches for decades. And yet, things aren’t changing.
From our perspective, there’s one huge reason for this. Companies still rely on tick-box training that doesn’t have a true impact.
Organizations need to move away from boring e-Learning programs and annual away days. Instead, we advocate incorporating employee security training directly into the daily workflow via what’s known as security and privacy nudges.
Successful nudging techniques are based on a positive manipulation of people’s actions. They either make people stop and think, so they can choose a better outcome or rely on people’s tendency to take the easy option.
For example, let’s say an employee is about to close a Google doc that’s full of sensitive information, but they haven’t set it to private. The nudge will pop-up to remind them that they should change the settings.
Sounds cool, right? Well, that’s what our engine does. We provide employee-based risk scoring based on patterns of sharing sensitive data. Our user nudges and warnings are designed to help users avoid phishing scams, data loss and cloud misconfigurations.
- Stolen credentials are a huge way cyber-criminals get into companies
Stolen credentials accounted for almost 50% of cyber-attacks in 2021. The report found that there’s actually been a 30% increase in credentials theft since 2017.
We find this particularly interesting. We would’ve expected credentials theft to go down, given the rise of multi-factor authentication. However, it seems that companies either aren’t implementing MFA or hackers are finding workarounds (as was the case in the EA data breach).
For organizations, the rise in credentials theft really underlines the importance of implementing a zero-trust approach to security. It’s no longer secure to rely on passwords as a means of authentication.
Of course, implementing zero-trust is a bit like tackling a behemoth. It can’t be done overnight. Luckily, though, there are tools out there – like ours – that are built on the principles of zero trust, offering you a ready-to-go solution that kick-starts your zero-trust journey.
You see, our cloud data protection engine protects against credentials misuse by moving access controls closer to your sensitive data. The engine uses user behavior analytics to dynamically authenticate users as they interact with your corporate data, ensuring that only legitimate and trusted people are given access.
- Supply chain breaches are as big an issue as feared
Supply chain attacks were a mainstay feature in the headlines last year. As a result, it’s not surprising that 62% of system intrusion incidents came from companies’ partners and suppliers.
For cybercriminals, supply chain attacks are a holy grail. Rather than compromising just one company, they can infiltrate hundreds – if not thousands!
Protecting against supply chain breaches is a complex undertaking – but a very important one. We advise reviewing NIST’s guide to supply chain security management as a way to set up a supplier assurance process.
As well as having policies in place, you’ll also need the right tools. Again, taking a data-centric approach is vital – especially in instances where your data is stored in third-party cloud environments.
This is where Next-gen DLP or Data Exposure Prevention (DEP) comes in. It works by monitoring, classifying and protecting sensitive data across cloud applications and collaboration tools. Through predefined policies, it prevents data loss in real-time through automatic actions like redaction, encryption and deletion.
- The ransomware reign continues
Nearly 25% of all data breaches in 2021 involved ransomware, a form of malware that encrypts access to your data and files until you pay a hefty ransom.
Ransomware is often delivered to a company via a phishing email. So, again, employee training and thoughtful nudges can be a great way to reduce your risk of these attacks. As well as this, make sure you regularly backup critical data to the cloud. That way, if the worst-case scenario happens, you’ll be able to restore your files without having to pay criminals!
Conclusion
That’s a wrap! The major takeaways from Verizon’s DBIR 2022. Our main learning? Companies need to rapidly move to a zero-trust security model and improve how they educate their employees on security.
Doing this doesn’t need to be difficult. With Polymer DLP, you can enhance your cloud security posture in a matter of minutes, thanks to a no-code deployment model.