Verizon Enterprise has again released its annual Data Breach Investigations Report (DBIR). The publication does not disappoint in providing crucial insight into today's digital threats. On the one hand, Verizon's 2019 report describes how many forces in the threat landscape have remained the same since the previous report. The study noted, for example, how sending data to incorrect recipients is still a problem for many organizations and how financial gain remains the most common motive for data breaches.
On the other hand, the analysis shows how the landscape with digital threats is always changing. This year's report embodies such a dynamic by adding a new subset of data related to financial attacks and by revealing a reduction in card violations with point-of-sale (POS) environments and card skimming operations. We will review these developments below.
Introduction of FMSE
For the 2019 DBIR, Verizon Enterprise investigators analyzed 41,686 security incidents, of which 2,013 confirmed data breaches. This investigation revealed 370 financially motivated incidents that caused a data breach or fraudulent action in 248 cases. These events, primarily involving web application attacks, include social actions, including financially motivated phishing and pretenses, but they do not include malware installation or employee abuse.
To properly handle these attacks, Verizon Enterprise has created a new subset of data, namely financially motivated social engineering (FMSE). These operations, which are also included in the main body of the report, focused primarily on theft of login credentials and tricking people to transfer money to fraudulent accounts. Such FMSE incidents affected all industries, but they were disproportionately focused on Professional Services, Healthcare and Finance organizations.
The decrease in violations made by the card
One of the most important changes Verizon Enterprise uncovered in its 2019 DBIR was the reduction of card breaches, including POS environments and card skimming operations. Digital criminals instead shifted their efforts to target payment cards by jeopardizing e-commerce applications. Indeed, most data breaches regarding exposed payment cards related to web servers in one way or another.
This trend was visible in some of the industries analyzed by Verizon. Let us look at two in particular: accommodation and food services, as well as retail.
Accommodation and Food Services
The housing and food services sector has reported 87 incidents, 67 of which were confirmed data leaks during the Verizon Enterprise reporting window. Forty of those attacks were aimed at POS environments. That is almost half the total number of incidents reported in this report for this industry, but still considerably less than the 307 POS events analyzed in the 2018 DBIR.
Verizon Enterprise does not believe that this is necessarily a shift in focus. Instead, it believes it could easily reflect how digital criminals have not been attacked against cashier environments in the past year. As it states in this year's report:
POS infringements are often committed by organized criminal groups that want to break through different targets and there have been hundreds of victims of the same hack group. Standard references were used with great success in 2011, as evidenced by more than 400 breaches, and recent speeches were associated with POS suppliers who suffered breaches that led to subsequent violations of their customer base.
The provider of enterprise technology solutions also revealed how news of a publicly disclosed violation of POS suppliers occurred to multiple victims of food services after the 2019 reporting screen was closed. This shows how POS attacks are still a threatening force for organizations.
Something similar happened in the retail trade, a sector that reported 234 incidents (of which there were 139 data breaches). Indeed, web application attacks largely replaced the intrusions of the POS, reflecting the decline in POS-related breaches and the skimming of the payment card. It is unclear why this type of infringement has decreased, but perhaps the widespread acceptance of EMF has contributed to reducing the value proposition of card presentation fraud for bad actors. In response, digital attackers have focused their efforts on compromising store applications 'web applications and installing code designed to capture their customers' payment card details.
The Breach Timeline at a glance
Despite the new developments discussed above, Verizon's 2019 confirmed that there is still one discouraging trend: the time to compromise remains the time to discover. More specifically, while digital attackers usually spend just a few minutes from the start of their first action until the moment they endanger an item, it can take organizations months to find the compromise depending on the nature of the attack.
Mitchell Jukanovich, vice president of federal at Tripwire, believes that organizations should recognize this reality by focusing on their users:
The key to reducing aggressive social engineering campaigns as well as malware attacks is on a human level – cyber training and education. It may sound elemental, but a solid cyber training and education program can reduce risk exposure to an agency, department or branch. This year's DBIR reinforces the need for agencies to have a cyber response plan and to practice implementing it.
Organizations must take their defense measures even further with a two-pronged approach recommended by Verizon Enterprise in its 2019 DBIR. First, they must discover which data types they have. Secondly, they need to use that knowledge to implement correct security measures, such as vulnerability management and monitoring file integrity.
For more information about how organizations can effectively defend themselves against data breaches, download a copy of the 2019 DBIR from Verizon here.