Verizon Business Unveils 17th Annual Data Breach Investigations Report

Verizon Business today released the findings of its 17th-annual Data Breach Investigations Report (DBIR), which analyzed a record-high 30,458 security incidents and 10,626 confirmed breaches in 2023—a two-fold increase over 2022.

While the exploitation of vulnerabilities has become one of the fastest growing threats to cybersecurity, data from the Asia-Pacific region found that 25% of attacks are motivated by espionage - significantly greater than the 6% and 4% in Europe and North America, respectively.

“Since so much of cyber espionage can be defined as an advanced persistent threat, it’s especially important for organizations in APAC to continuously refresh their security protocols in order to thwart the long-term collection of sensitive data by threat actors,” said Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business. “It’s equally important to review one’s third-party network, since sensitive information with national security implications can sometimes be accessed via organizations with more lax cybersecurity practices, such as academic institutions and research facilities.”

Of the 2,130 security incidents and 523 confirmed breaches in the Asia-Pacific region, system intrusion, social engineering, and basic web application attacks represent 95% of breaches in APAC. The most common types of data compromised are credentials (69%), internal (37%), and secrets (24%).

Globally, the exploitation of vulnerabilities as an initial point of entry almost tripled since last year, now accounting for 14% of all breaches. This spike was driven primarily  by the scope and increasing frequency of zero-day exploits by ransomware actors, most notably the MOVEit breach, one of the most widespread exploitations of a zero-day vulnerability in history.

Analysis of the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog revealed that on average it takes organizations 55 days to remediate 50% of critical vulnerabilities following the availability of patches. Meanwhile, the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.

Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues. This metric—new for the 2024 DBIR— shows a 68% increase from the previous period described in the 2023 DBIR.

Most breaches (68%), whether they include a third party or not, involve a non-malicious human element, which refers to a person making an error or falling prey to a social engineering attack. This percentage is about the same as last year. One potential countervailing force is the improvement of reporting practices: 20% of users identified and reported phishing in simulation engagements, and 11% of users who clicked the email also reported it.

“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to a shine a light on the importance of cybersecurity awareness among the general workforce,” said Robert Le Busque, Regional Vice President, Asia Pacific for Verizon Business.

Other key findings from this year’s report include:

• 32% of all breaches involved some type of extortion technique, including ransomware.
• Over the past two years, roughly one-fourth (between 24% and 25%) of financially motivated incidents involved pretexting.
• Over the past 10 years, the use of stolen credentials has appeared in almost one-third (31%) of all breaches.

In view of this report, Mr. Anshuman Sharma, Director - VTRAC, Cybersecurity Consulting Services, Verizon Business said, “68% of breaches stem from non-malicious human errors, such as succumbing to social engineering attacks or making inadvertent mistakes like poor password practices and improper management of sensitive data. This rate has remained consistent with last year's figures. India is one of the key countries affected by phishing attacks, where employees often click on malicious links or attachments that appear to be from legitimate sources, often leading to severe financial losses. However, there's a silver lining as reporting practices have improved, with 20% of users now identifying and reporting phishing during simulation tests. This is only the first stepping stone, as enterprises can significantly reduce human error in cybersecurity by adopting a multi-pronged approach. First, continuous, scenario-based training can equip employees with the skills to identify and respond to common cyber threats, such as phishing attacks. Encouraging a proactive security culture is also crucial, with easy-to-use incident reporting mechanisms to promote prompt reporting of suspicious activities. Additionally, regular security audits and drills help assess the resilience of current security setups and pinpoint vulnerabilities. Leveraging advanced technology solutions, such as AI-driven security tools, can further assist in minimizing human error by automating threat detection and response processes.” 

Read the 2024 Data Breach Investigation Report: [2024 Data Breach Investigations Report]