A Summary of DBIR 2020 – Where the Data Breach World is Today and How to Prepare for IT

Key Insights from the 2020 DBIR

So who are exactly are the perpetrators behind all of these attacks? 

• 70 percent of breaches were carried out by external actors
• Organized criminal organizations were behind 55 percent of all breaches
• 30 percent of breaches involved internal players of some sort

And how did they carry out these attacks?

• 45 percent of breaches were implemented by traditional hacking
• Social engineering attacks were involved in 22 percent of breaches
• Misconfiguration errors, either accidental or purposeful, played a role in 22 percent of breaches
• Malware was the primary tool in 17 percent of breaches
• 8 percent of breaches involved the misuse of authorized users

What were the most prevalent threat actions?

• The most frequent type of security incident were Denial of Service (DoS) attacks at 60 percent
• Phishing was the most frequent threat action involved in breaches and the second most prevalent security incident

Where did these attacks take place?

• Nearly 1 in 4 breaches involved cloud assets with 73 percent of these breaches involving email or web application servers.
• On-premise assets were still involved in the vast majority of breaches
• 85 percent of victims and subjects resided within the same country, 56 percent in the same state
• 28 percent of breaches involved small businesses

Some of the key trends outlined

• The percentage of traditional hacking and social engineering attacks remain consistent with prior years, but malware continues to steadily decline over the past five years.  It is believed that the greater use of credential theft is diminishing the reliance on malware.

• Because the encryption of data is not considered a breach, ransomware is mostly categorized as a security incident.  However, ransomware is beginning to play a contributary role in breaches.

• While Trojans remain a top 5 malware variety, the methodology of dropping a Trojan onto a system to form a beachhead in a target network peaked in 2016 and continues to diminish.  The presence of downloaders and keyloggers is however growing more prominent.

How Covid-19 has affected the Security Landscape

Covid-19 has impacted nearly every part of the world and continues to have a profound effect on people and organizations.  While social distancing and the pursuit of a vaccine may help to combat exposed health risks, these strategies offer little help in the practice of cybersecurity. 

Remote work strategies were implemented seemingly overnight as a reactionary measure to the crisis.  According to a Covid-19 survey of cybersecurity professionals, 23 percent said cybersecurity incidents have increased for their organizations since transitioning to remote work.  For many, the number of incidents has doubled.  One of the challenges of this dramatic workspace transformation has been the reassignment of IT tasks to cybersecurity workers.  In fact, 75 percent of respondents stated that their job had changed since COVID-19 appeared.  This was initiated by the sudden rush to station workers out of their homes and the need to get remote workers the necessary computing equipment and software.  Bad actors have taken advantage of the isolated vulnerability of these remote workers by targeting the consumer grade equipment and collaborative software vulnerabilities.  As hybrid work models are becoming a permanent strategy, companies are faced with the task of reassessing their security policies.  The vast majority of companies view security as an essential function at this time as 49 percent expect to experience a data breach or cybersecurity incident within the next month.  As of now, 70 percent of organizations plan to increase cybersecurity spending following the COVID-19 pandemic. 

There is some good news as a result of COVID-19 however.  Companies are focusing far more attention on emergency contingency plans and large-scale remote operations due to natural or man-made disasters.  It is also prompting a new wave of innovation while accelerating the depreciation of obsolete technologies that are far outdated.  

Breaches Still Occurring in 2020

COVID-19 has consumed much of the media headlines this year and understandably so.   Behind the scenes however, breaches have continued to occur.  A record 8.4 billion records were exposed in the first quarter of 2019, a 273 percent increase over the same period a year ago.  A few examples of breaches that have occurred in 2020 thus far include the following:

• The healthcare industry continues to be a high value target as a total of 28 data breaches occurred within healthcare systems.  One example was Beaumont Health in Royal Oak, Michigan that reported an incident involving the data of more than 112,000 patients. 
• Fifth Third Bancorp, the nation’s ninth-largest U.S.-based consumer bank terminated a small group of employees that were involved in an internal breach that exposed the personal information of bank customers including Social Security numbers, account numbers, and other types of personal information.
• Misconfiguration errors continue to induce exposure incidents.  One such example was an Amazon S3 database that was left unsecured due to a cloud configuration error and exposed nearly half a million financial records to the Internet.
• As a sign of the times, Bank of America disclosed a data breach on April 22 that affected businesses that applied for the Paycheck Protection Program (PPP).

Protecting Yourself in the Future

The pandemic crisis has shown just how fast things can change overnight.  The attack surface of the typical enterprise has dramatically expanded with so many employees working from remote workspaces as a reactionary measure to the pandemic. During a time of crisis of this scale, there is little time, if any, to spend formulating a plan. This is why it is so important to formulate flexible security strategies and continue to update them to keep pace with the dynamic environments that introduce new hurdles on an accelerating basis.  Those companies whose structure has been altered in 2020 should consider:

• Conducting a new risk assessment. With legislation emphasizing the need for cyber security safeguards to be ‘reasonable’, organizations should take a fresh look at their risk profile to address any new risks that have emerged. A Duty of Care Risk Analysis (DoCRA) analyzes the risks and vulnerabilities that have been introduced to their organization and helps prioritize those risks to ensure controls are reasonable given the danger they pose to the public and themselves while satisfying expectations of judges and regulators.
• Assessing your existing partner, supplier, and contractor security profile. Your partners operate as an extension of your business. It is best practice to review their risk profile to ensure they practice under your security policies and procedures.
• Enhancing or developing an incident response plan. Make sure you review existing plans or develop a one to properly deal with the challenge of a security incident or breach that may occur simultaneously with an even greater crisis such as a pandemic. 
• Staying up to date on the latest risks, threats, and incidents by reading the PANDEMIC BREACHES BULLETIN.

Enhance your security strategy to address your changing working environment and risk profile due to COVID-19. HALOCK can help you get the most out of your security budget through our Security Optimization Spend (SOS) program.

Schedule a complementary advisory and counseling session to review your current solutions and identify those that can be optimized.

HALOCK is a cyber security consulting firm headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security strategies, third-party risk management, risk assessments, penetration testing, security management and architecture reviews, and HIPAA, Privacy, & PCI compliance, incident response and forensics throughout the US.

SOURCE: 2020 DBIR