By Roy Urrico
Finopotamus aims to highlight white papers, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
Verizon Business, a division of Verizon Communications based in Basking Ridge, N.J., recently release its 2023 Data Breach Investigations Report (2023 DBIR) — the 16th annual version — which analyzed 16,312 security incidents and 5,199 breaches that took place from November 2021 through October 2022.
Among its major findings: The cost per ransomware incident doubled over the past two years and now accounts for 1 out of every 4 breaches; business email compromise also has more than doubled since 2022; and 3 out of 4 breaches now involves a human element.
The finance industry, which includes banking, accounted for 1,829 incidents and 477 breaches. Financial data compromised by breaches breaks down as personal (74%), credentials (38%), other (30%), banking (21%). “Personal data, very useful for fraud, continues to be the most desired data type stolen,” said the report.
The report also found the median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million. This 2023 DBIR also explained the rise in cost coincides with a dramatic rise in frequency over the past couple of years when the number of ransomware attacks was greater than the previous five years combined. That prevalence held steady this year as ransomware remained one of the top cyberattack methods.
A summary of conclusions:
· Social engineering attacks are often effective and extremely lucrative for cybercriminals.
· Eighty-three percent of breaches involved external actors, and the primary motivation for attacks continues to be overwhelmingly financially driven.
· The three primary ways attackers access an organization’s data are: stolen credentials, phishing and exploitation of vulnerabilities.
Humans: The Weak Link
The human element still makes up the overwhelming majority of incidents, according to the DBIR, mostly via error, privilege misuse, use of stolen credentials or social engineering. It is a factor in 74% of total breaches, even as enterprises continue to safeguard critical infrastructure and increase training on cybersecurity protocols.
The report noted social engineering is a common way for cybercriminals to exploit human nature. Such as manipulating an organization's sensitive information through tactics like phishing, in which a hacker convinces the user into clicking on a malicious link or attachment.
“Senior leadership represents a growing cybersecurity threat for many organizations,” said Chris Novak, managing director of cybersecurity consulting at Verizon Business. “Not only do they possess an organization’s most sensitive information, they are often among the least protected, as many organizations make security protocol exceptions for them.”
Novak added, “With the growth and increasing sophistication of social engineering, organizations must enhance the protection of their senior leadership now to avoid expensive system intrusions.”
Social Engineering and BEC
Like ransomware, the Verizon study disclosed that social engineering is a lucrative tactic for cybercriminals, especially given the rise of techniques used to impersonate enterprise employees for financial gain, an attack known as business email compromise (BEC). Pretexting is a type of social engineering attack that involves circumstances, or a pretext, created by an attacker to bait a target into a vulnerable situation and dupe them into divulging confidential information.
Fraudsters often utilize pretexting by feigning to be a relative or — during BEC attacks or CEO fraud – an executive in need of a cash transfer, the report found. With the growth of BEC, enterprises with distributed workforces face a challenge that takes on greater importance: creating and strictly enforcing human-centric security best practices.
“When responding to social engineering attacks (and the same could be said of most attacks), rapid detection and response is key,” said the 2023 DBIR. “The importance of timely detection is highlighted by the increasing median cost of BECs, which has risen steadily from 2018 and now hovers around the $50,000 mark.”
Safeguards
The report recommended one of the ways that enterprises can help safeguard critical infrastructure is through the adoption and adherence of industry leading protocols and practices. Verizon said it recently became the first nationwide telecom provider to become a participant of Mutually Agreed Norms for Routing Security (MANRS), a global initiative that provides crucial fixes to reduce the most common routing threats attackers exploit.
The report includes a heads-up from Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, who wrote that while some adversaries use advanced tools and techniques, “Most take advantage of unpatched vulnerabilities, poor cyberhygiene or the failure of organizations to implement critical technologies like MFA (multi-factor authentication). Sadly, too few organizations learn how valuable MFA is until they experience a breach.” In addition, she said, "In particular, it's critical that 'high-value targets' like system administrators and software-as-a-service (SaaS) staff use phishing-resistant MFA."
Data contributors to the report included cyber insurer Coalition, ransomware incident response firm Coveware and cybersecurity firm CrowdStrike; computer emergency response teams from the European Union; Malaysia's cybersecurity agency; and the U.S. Secret Service, CISA, and the FBI Internet Crime Complaint Center (IC3).