Prime Cyber Targets According to the 2022 Verizon DBIR

The Verizon 2022 Data Breach Investigations Report (DBIR) found that, contrary to what many tell us, 75% of breaches result from external parties. Personally identifiable information (PII) and authentication credentials are the most targeted data sources, which are often exploited when organizations send, share, and receive sensitive digital communications.

The report also found, in the event of many attacks, that private data—which often is governed by compliance regulations—was the target of bad actors. Furthermore, humans play a critical role in many of the successful breaches tracked in the report: The cause for 82% can be connected back to stolen credentials, phishing, misuse, or outright error.

The following discussion delves into the connections between these elements and sensitive content communications.

Summary of Data Incident and Breach Findings in the Report

The past year has been extraordinary in many ways when it comes to cyberattacks and was full of well-publicized stories about victims (those who were attacked) as well as the bad actors (those who did the attacking). Organizations across myriad industry sectors—finance, healthcare, energy and utilities, government, manufacturing, life sciences, and others—were impacted by ransomware, supply chain, and other attacks. The supply chain remains in the crosshairs of cybercriminals and rogue nation-states, and for good reason; successful breaches multiply 10-fold, 100-fold, and even 1,000-fold when bad actors gain access to not just the network, applications, and content of the hacked organization, but its downstream supply chain partners.

Credentials, phishing, exploiting vulnerabilities, and botnets are the four paths that are connected to incidents and breaches, according to Verizon’s research. No organization can avoid these four, and any security risk management plan must include these four areas. Credentials, by far, top the list, representing around 50% of total incidents and breaches, followed by phishing at slightly less than 20%, vulnerability exploits at less than 10%, and botnets at less than 1%.

When it comes to attack vectors, Verizon ransomware remained a serious problem in 2022, trending upward by almost 13%—as large an increase as the last five years combined (for a total increase of 25% currently). Malware has been a mainstay of Verizon DBIRs since their inception, and 2022 was no exception, with over 30% of data breaches caused by malware.

In terms of ransomware attack types, stolen credentials and malware were the top concerns. One of the reasons cyberattackers like ransomware is that they do not need to look for specific data types and data of particular value, but rather they simply need to disable critical organization functions by encrypting associated data. As to the types of applications targeted by ransomware, 40% involved desktop sharing software, and another 35% involved email.

Not surprising, in light of all the news from the past year, three-quarters of external breaches happened because attackers exploited a link in the supply chain. At the same time, 62% of incidents involving system intrusion were connected to the supply chain. Finally, while cybercriminals often are motivated by money, nation-state threat actors, in most cases, have different objectives, skipping ransom demands and simply keeping the access instead.

What Bad Actors Are Targeting—Email Servers, Web Applications, and Content Types

The two types of data most often targeted by cybercriminals and rogue nations are credentials and personal data. As credentials can be used to pose as legitimate users on a system or application, they are a favorite data target for malicious actors. They also provide them with stealth; they remain undetected until they attack. Credential theft can have a longtail effect, with hacked credentials remaining on the darknet for extended periods of time—namely, a “gift that keeps on giving.”

Personal data, or personally identifiable information (PII), is a target for external bad actors as well as malicious insiders. For the latter, medical data was taken in 22% of the cases. And with healthcare topping all other industries when it comes to data breaches, this stat makes sense.

Time Required to Discover Vulnerabilities and Data Breaches

The DBIR also investigated the average length of time an attack took before successfully exploiting data. It was a bit of a surprise to discover that many breaches included only a handful of steps. Phishing, downloader, and ransomware were the most frequent attack methods, with five or more different tactics being employed infrequently. Here, attackers seem to gravitate to the tactics they know best and stick with them. Additionally, Verizon found that the more actions an attacker takes, the more opportunities a defender has to respond to, detect, and fix a breach before data is exfiltrated. However, Verizon concurrently notes that the risk is higher, as there are more potential points of vulnerability. In response, cyber risk management should be at the forefront of every organization’s security strategy to maintain sensitive information and prevent vulnerabilities from being exploited.

Web Application and Mail Servers

Web applications are a prime target for cyber-attackers, accounting for around 70% of security incidents. Stolen credentials are a primary means of accessing them (over 80%). Of web application attacks, PII and personal health information (PHI) was front and center; 69% of data breaches involved PII, whereas medical data (which includes PHI) was included 15% of the time.

Next in line when it comes to assets being targeted are mail servers (around 20%). When they are targeted, 80% were compromised with stolen credentials and 30% were compromised using some form of exploit. While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches.

Many might think that these types of attacks are largely the work of enterprising criminals spraying the internet looking for weak credentials. However, rogue nation-states use this same approach—it is low cost with a high payoff, with 20% of data breaches being attributed to espionage.

Misconfiguration Errors: PII Is at the Forefront

Misconfiguration accounted for around 10% of data breaches—and employees are the prime culprit. Cloud data is at the forefront of vulnerabilities. This is unsurprising, as cloud deployments are often stood up without appropriate access controls in place. Misdelivery of private data is also a factor, with email going to the wrong recipient in many instances. Finally, PII belonging to customers is most often involved in these data incidents and breaches.

Determining if a security incident resulted in a data breach is actually difficult in 90% of the cases; this is due to the fact that it is difficult to determine where data was compromised. Of the findings in the DBIR, healthcare represents a large share of the organizations with data breaches. The Verizon research team speculates that more stringent compliance regulations for the handling of PHI makes it much more likely that organizations report such incidents.

Importance of Governance Controls and Security for Mitigating Data Breaches

Third-party risk management is an area where organizations need to pay particular attention. A look at top action vectors in the DBIR reveals that third parties (partners) lead the list. Instituting the right governance for security and compliance is critical here. Sensitive content, which includes PII, PHI, financial records, and confidential corporate information, must have the right governance tracking and controls in place.

With that in mind, organizations must control who accesses information, who can collaborate and make changes to it, to whom it can be sent, and over what communication channels and devices it is sent. A failure to do so can create significant third-party risk, with an impact that extends across the supply chain. On this note, in the event of supply chain breaches, secondary breach victims can quickly grow—exponentially ballooning to affect hundreds or thousands of organizations and hundreds of thousands or millions of individuals.

With the Kiteworks platform, organizations can create private content networks, defining and managing security and compliance policies centrally for the digital sharing, sending, and receiving of private information. Governance controls can include who can access that information, who can make changes to it, to whom it can be sent, and more. And employing a defense-in-depth security approach and content-defined zero trust, Kiteworks uses hardened security and key encryption to lock access to private content when it is digitally exchanged, regardless of the communication channel employed—email, file sharing, managed file transfer, web forms, or application programming interfaces (APIs).

Additional Resources

• Report Benchmark Your Sensitive Content Communications Privacy and Compliance
• Blog Evaluating Sensitive Content Communications Through the Lens of Data Breach Costs
• Video Testimonial How a Sales Team Protects Customer IP in Every Digital Exchange
• Blog PostSOC2 Reports
• Blog PostSecure Data Room Services