Skyhigh Security’s Takeaways from Verizon’s 2024 Data Breach Investigations Report

May 21, 2024

By Rodman Ramezanian - Global Cloud Threat Lead, Skyhigh Security

It’s that time of year again! The latest edition of Verizon’s highly acclaimed Data Breach Investigations Report (DBIR) has been released, offering key highlights and valuable insights into the ever-changing threat landscape, the most significant attack vectors, and targeted industries. Consider it the InfoSec industry’s annual report card.

The 2024 edition marks the 17th installment of the report and kicks off with an acknowledgment of the evolving cyber threat environment. Notably, the past year has been particularly active for cybercrime. Verizon analyzed 30,458 real-world security incidents, 10,626 of which were confirmed data breaches—a record high—affecting victims in 94 countries.

If you haven’t yet had a chance to peruse this latest Verizon DBIR report, here are some key takeaways and interesting insights:

• Verizon has revised its classification of the “human element”:
• Previously, the human element encompassed any activity involving a human, such as phishing, business email compromise, and insider threats.
• Now, Verizon focuses specifically on the non-malicious human element.
• Incidents involving a human element no longer include intentional malicious activity, but rather situations where individuals fall victim to social engineering attacks or make errors.
• Verizon has also adjusted its classification of “ransomware”:
• Instead of focusing solely on ransomware, Verizon now groups ransomware with similar “extortion” attacks.
• The main distinction is that in a ransomware attack, the perpetrator encrypts the victim’s data and demands a ransom for its release, while in an extortion attack, the perpetrator steals the data and threatens to make it public unless paid.
• While ransomware incidents have decreased slightly, extortion attacks have risen sharply. Due to their similarities, Verizon now categorizes them under the same umbrella.
• Generative AI is notably absent.
• Verizon observes that despite the buzz surrounding generative AI within the cybersecurity community and the well-known potential for its use by threat actors, there is currently no evidence to suggest it is being employed in any significant manner.
• It suggests that there’s no imminent breakthrough or notable impact on incident response from potential attack-side optimizations. Verizon doesn’t view generative AI as a significant threat unless there are substantial changes.
• Thirty-two percent of breaches involve ransomware or extortion tactics.
• While ransomware incidents have leveled off and slightly decreased after a spike in 2022, extortion cases have sharply increased, leading to a significant overall rise in these types of attacks.
• Ransomware and extortion are among the top three threat actions in 92% of industries and are involved in 62% of financially motivated incidents.
• Sixty-eight percent of breaches are linked to non-malicious human actions.
• Examples include employees being deceived by social engineering attacks or IT configuration errors.
• This represents a slight decrease from last year’s 74%. However, it’s important to note that if malicious incidents were excluded from last year’s data, the percentage would have also been around 68%. Thus, the rate of attacks targeting the human element has remained consistently high.
• The median time for a user to fall for a phishing email is less than 60 seconds.
• After initially falling for the email, users take an average of just 28 seconds to input the requested data.
• Over the past decade, stolen credentials have been involved in 31% of all breaches. This year, they were found in 38% of breaches.

Despite a decrease in Basic Web Application Attacks compared to social engineering and error-based attacks, stolen credentials are still involved in 77% of attacks.

What needs to be done?

The saying “humans are the weakest link” is fitting here. Despite strict security measures, humans remain vulnerable to social engineering and errors like system misconfigurations, weak passwords, and accidentally using malicious links or software. Cognitive biases also play a role, leading to overconfidence in threat detection and underestimating attack risks. Verizon’s recent findings highlight these ongoing vulnerabilities.

Adopting principles of Zero Trust is vital for addressing human errors and vulnerabilities, because it continuously verifies every user and device, reducing reliance on inherently trusting internal users. It enforces strict access controls, limits the potential damage from human mistakes or malicious actions, and enriches monitoring to quickly detect and respond to suspicious activities, thereby mitigating risks associated with human behavior.

While it goes without saying these attacks had a significant impact on humans, enterprise data was arguably the biggest victim over the time period covered. Whether data was encrypted and held ransom at the hands of extortionists, lost in phishing attacks (of which there were many), or stolen thanks to legacy VPN technologies being exploited, data loss was one of the most common denominators throughout the entire report.

It serves as another stark reminder of the importance of taking a data-centric approach to security. After all, cybersecurity is fundamentally a data problem. Across the email vectors predominantly targeted in phishing attacks, the cloud assets that hold increasingly more data, and the internal data scattered across enterprise environments, having data consistently identified, classified, and protected wherever it lives and goes is fundamental.

Looking at Verizon’s “Year in review” snapshot, high-profile attacks involving VPN products appeared several times. To quote Verizon themselves, “Anything that adds to your attack surface on the internet can be targeted and potentially be the first foothold for an external threat actor, and as such, the focus should be to try to keep footholds to a minimum.”

This, again, reinforces the ongoing push from industry and security thought-leaders to adopt principles of Zero Trust. Here are a few reasons why:

1. Assumed Trust: VPNs grant broad network access once connected, while Zero Trust continuously verifies user identity and access rights.
2. Access Control: VPNs offer broad access, making it hard to enforce least privilege. Zero Trust ensures strict, granular access to specific resources.
3. Static Security: VPNs depend on a static perimeter, which is less effective for distributed workforces and cloud services. Zero Trust secures each access request, regardless of location.
4. Lateral Movement: VPNs allow easier lateral movement if breached. Zero Trust segments the network and continuously verifies, limiting breaches and attacker movement.

The bottom line

Verizon’s annual Data Breach Investigation Reports are always welcome, as they continue to shine light on globally prevalent threats, risks, and vulnerabilities continuing to plague organizations of all shapes and sizes the world over.

There is always the hope that organizations take heed of these insights to tighten their security regimes. The reality, however, is that many of the more common, recurring themes of phishing, social engineering, and lateral movement attacks continue to appear in quite striking quantities.

As mentioned, we thoroughly encourage taking a data-centric approach to security by focusing on the protection of your data — wherever it’s used, by whichever device, through whatever means of connectivity and collaboration, and from any location. Prioritizing the protection of data will ultimately support organizations in mitigating many of the threats and risks highlighted in Verizon’s reporting.