Now in its 11th year, the Verizon 2018 Data Breach Investigations Report is one of the most comprehensive of the annual reports, including analysis on 53,308 incidents and 2,216 breaches from 65 countries.
Peruse the seminal Verizon Data Breach Investigations Report (DBIR) and you’ll quickly realize that this is no dry tome. Twitter user @cjbeckner rightly points out, “As in past years, there is clearly an aspiring comedy writer or two on the 2018 Verizon #DBIR @VZDBIR writing team.” They coaxed a chuckle from me with their opening salvo on ransomware, “If you are perusing this fine report and have not heard about ransomware, let us be the first to say, ‘Congratulations on being unfrozen from that glacier!'"
Ransomware: We Told You So
Who can resist the chance to say, “I told you so?” Apparently not even the funny folks at Verizon, whose CyberTrends conference unveiling of the DBIR indulged in a little back-patting on a slide announcing ransomware as the most prevalent form of malware: “We hate being right – back in 2013 we said: ‘[This may] blossom as an effective tool of choice for online criminals.’” They weren’t wrong.
Ransomware is on the rise: Verizon’s report confirms it doubled again this year after doubling last year. Responsible for 39% of all malware related breaches, ransomware accounts for 85% of all malware in healthcare, and continues to make media headlines with the City of Atlanta becoming one of the latest victims of this attack method.
Verizon explains the sharp uptick: “It’s easy to deploy” and “there’s little risk or cost involved and there’s no need to monetize stolen data.” With 76% of breaches being financially motivated, ransomware provides a way for cybercriminals to extract money quickly by encrypting a file server or a database and taking an organization offline.
The report is quick to point out that while most cybercrime is money motivated, that doesn’t mean only billion-dollar firms are at risk; 58% of attacks affected small businesses.
Most attacks are opportunistic and target not the wealthy or famous, but the unprepared.
No Hot Stoves Here
One of the more unique stats that Verizon shares is how susceptible certain individuals are to phishing attacks. Unfortunately, this malware is not like a hot stove, as people who are burned by clicking on a phishing email don’t learn not to touch, and will continue to click on phishing emails again and again. “Incredibly, the more phishing emails someone has clicked, the more likely they are to do so again.”
So while “78% of people don’t click a single phish all year,” it suggests that part of an overall strategy to combat phishing could be to try and “find those 4% of people who will click” on almost any scheme ahead of time.
In what may be old news, the Verizon data demonstrates the significant gap between the time hackers take to compromise a system and the amount of time it takes for organizations to discover the breach. Most compromises (87%) took minutes or less to occur, yet only 3% were discovered as quickly. The majority of compromises (68%) went undiscovered for months.
With most threats a company is likely to face continuing to fall into one of the nine incident patterns Verizon identified back in 2014, it seems we should be gaining ground on the attackers. Unfortunately, the report notes that too often companies make it easy for the hackers, leaving software unpatched and virus definitions out of date. The report goes on to provide industry-specific insights on these incident patterns to help readers leverage their intelligence and take action.
Don’t Treat the Appendix as an Afterthought
If you’re time constrained, the Executive Summary will certainly give you this year’s highlights, but seasoned readers know some of the most insightful pieces are in the Appendix of the 68-page report.
Like this cool visualization in Appendix C comparing how often one- and two-step event test scenarios are blocked. Or the trip down memory lane in Appendix D’s Year in Review.
Enjoy reading this granddaddy of cyber reports, and remember its release signals the run-up to RSA. Don't have time to read the entire report? Check out this panel discussion with highlights.