It’s one of our favorite times of the year: the release of Verizon’s Data Breach Investigation Report. Verizon’s 2022 DBIR is chock full of crucial statistics and trends in the cyber realm; I’ll highlight just four, and then unpack them.
1. Small businesses (very small) are being attacked. Even the smallest businesses (10 employees or less) are under rapid fire.[i]
2. The human element was involved in 82 percent of all breaches analyzed over the past year: poor security decisions, clicking malicious links, giving up or losing credentials, misconfiguring, and misusing privileges.[ii]
3. Roughly 4 in 5 breaches can be attributed to organized crime[iii], with external actors approximately four times more likely to cause breaches in an organization than internal actors.[iv]
4. Ransomware attacks jumped up in frequency – greater than the past five years put together![v]
Let’s read the data like an old crime novel. An innocent youngster in a small family (10 members or less) mentions that their government agency-employed father has been working on crucial and confidential plans in their home (the human element mistake). Coincidentally, Dad is gone for the weekend; the sinister mafia member breaks into the empty house (breached by an organized crime member) and steals the plans, blackmailing the father for their return (ransomware). We are all familiar with the plot; only some technical advances have changed the details.
In the past, we have worried about large corporations, critical infrastructure, and the government when cyberattacks flew across our mental screen. The reality is that small businesses, not just the large corporations or hospitals, are now being targeted and attacked at a terrifying rate. But the bad guys don’t have to win.
If 82% of breaches involved the human element, what would happen if we halved that?
Let’s take it up a notch. Use of stolen credentials, ransomware (present in 70% of malware breaches)[vi], and phishing all landed in the top five types of breaches. What an honor. Verizon also reports not only that docs in your email are still the primary carriers for malware[vii], but that “malware and stolen credentials provide a great second step after a social attack gets the actor in the door, which emphasizes the importance of having a strong security awareness program”[viii]. We agree, and it’s part of why the statistics are exciting.
In the midst of what feels like another bad plot from our cheesy crime novel, the key is this: the outcome can change because people can change. Sure, small businesses are being targeted. Sure, organized crime groups are doing the majority of the attacking. But at the end of the day, the statistics aren’t pointing to a solution out of our reach. They point to us, to our communities—the human element. If this one thing can change, it will drastically influence the other three key findings. We can make a difference.
[i] Verizon 2022 Data Breach Investigations Report, p. 75.
[ii] Ibid., p. 8.
[iii]Ibid., p. 60
[iv]Ibid., p. 11
[v]Ibid., p. 27
[vi]Ibid., p. 17
[vii]Ibid., p. 27
[viii]Ibid., p. 33