Verizon’s Data Breach Investigations Report (DBIR) enters its 17th year of publication for 2024. The report provides valuable yearly insights into data breach incidents that can help you understand emerging cyber threats, vulnerabilities and the evolving strategies of malicious actors. Here’s a look at the highlights of the Verizon 2024 DBIR.
One of the main data points that jumps out from the report is the three-fold increase in vulnerability exploitation as a pivotal path for initiating analyzed data breaches (there were 10,000 breaches included in the study). This finding aligns with Nuspire’s Q1 2024 Threat Landscape Report, which found a 52% increase in attempted exploits.
The explanation, of course, partly lies in high-profile, far-reaching incidents like the MOVEit zero-day vulnerability, which affected over 2,000 organizations around the world. But is this increase a finding that reflects a more widespread change in hacker tactics, or is it just an anomaly based on MOVEIt? Delving back into our own threat report, we saw massive increases in attempts against vulnerabilities like Hikvision’s camera systems and Wind River’s VxWorks.
The trend appears to be that hackers increasingly look for vulnerabilities in software as entry points into organizations’ networks. Usually, this software comes in the form of public-facing web apps that can be hacked into using just an internet connection. Expect to see much more threat actor activity around scanning for and exploiting vulnerabilities. In fact, Verizon goes as far as to say that the DBIR is entering its “Vulnerability Era,” so now is a better time than ever to get on top of patch management.
While it’s helpful to look for new findings and alterations in threat dynamics, sometimes you can draw useful lessons from repeating patterns. That’s why it’s important to point out that the human element continues to play an outsized role in breaches—the 2024 DBIR found the human element was involved in 68% of breaches, which is a similar figure to previous years.
The most recent report somewhat changes the definition of the human element metric only to reflect honest mistakes rather than also including malicious actions by insiders. It’s clear, though, that the continued prominence of errors and mishaps in data breaches shows cyber training and awareness isn’t where it should be.
Companies need to implement continuous and evolving training programs that adapt to new threats and tactics used by cybercriminals. This includes regular phishing simulations, updates on the latest social engineering techniques and real-time awareness sessions. Beyond training, there should be a focus on fostering a security-first culture at your business. This involves encouraging employees to think critically about security in their daily tasks and promoting a mindset where everybody sees cybersecurity as a shared responsibility.
The 2024 DBIR lumps together both ransomware and extortion, which makes sense given that many ransomware actors now focus on stealing data and demanding ransoms without even bothering to install ransomware strains and lock down systems. Our threat report from Q1 found LockBit and CL0P to be the top ransomware operators, and exploits of public-facing apps were some of the main initial access vectors. Together, ransomware and extortion comprised almost one-third of the DBIR’s 10,000 analyzed breaches.
Shifting toward extortion-only attacks leverages the threat of data exposure to exert pressure on victims, which can be equally, if not more, damaging than file encryption. This increases the chances of landing a payday and arguably makes ransomware actors more efficient in their operations. There’s a clear need to place a strong emphasis on data protection measures like encryption and data loss prevention to reduce risks from pure extortion attacks.
The continued threat posed by ransomware gangs and operators of RaaS business models affects pretty much every industry. The 2024 DBIR highlighted ransomware as a top threat across 92% of industries. Nuspire’s Q1 threat report noted a surge in ransomware attacks targeting the manufacturing sector. This industry faces unique challenges in ransomware defense because manufacturers are lucrative targets with complex information technology (IT) and operational technology (OT) systems.
The 2024 DBIR defines third-party involvements in breaches as incidents where a business partner was the vector of entry for the breach or if the data compromise happened in a third-party data processor. This broad definition ensures that the metric captures cases like software development processes were hijacked and malicious software updates pushed to customers. Overall, the third-party metric accounted for 15% of data breach risk exposure.
To better manage third-party risks, there’s a clear need to strengthen how you assess and evaluate vendors/suppliers from a cybersecurity perspective. This includes opting for companies that use secure-by-design principles when creating applications that you want to use in your business operations.
There are many more useful insights to take away from the full 2024 DBIR. Perhaps the most notable finding is that the report’s own authors now see data breaches as entering a Vulnerability Era. With hackers constantly prowling for weaknesses in your apps, getting on top of vulnerability management can reduce the risk of data breaches significantly.
At Nuspire, we know patch management is a challenge for most companies. Our vulnerability management service detects and classifies all your networked assets (because vulnerabilities are often exploited in software you didn’t even know you were running). We’ll also identify vulnerable assets regularly and help you know what to fix first with vulnerability scoring. Learn more here.