The 2024 Verizon Data Breach Investigations Report: What It Means for Your Business

Date June 26, 2024
Article Authors

Highlights of the June 2024 edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.

Watch on demand.

For the 17th consecutive year, Verizon has released its annual Data Breach Investigations Report (DBIR), a compilation of data on cybersecurity incidents reported to Verizon by global expert cybersecurity firms. The primary purpose of the DBIR, considered a “go-to” resource by many in the cybersecurity field, is to inform organizations on the cybersecurity threats they face and how to protect against them.

Background

  • The 17th annual edition of the Report
    • Released early May 2024.
    • Covers 20 industries governed by NAICS code.
    • Categorized by different regions of the world.
    • Seventy-nine contributing organizations (up from 67 in 2023).
    • Examined 30,458 incidents and 10, 626 confirmed data breaches (compared to 16,312 incidents and 5212 confirmed data breaches in 2023)
  • VERIS system: Vocabulary Event Recording and Incident Sharing
    • Started tracking in 2010
    • Tracks eight patterns in a wide range of industries: denial of service, lost and stolen assets, miscellaneous errors, privilege misuse, social engineering, system intrusion, web applications, and everything else. Look at the 4As: actor (who), action (pattern), asset (what they’re going after), and attribute (what we want to keep up and running to have access to our data).
  • Definitions:
    • Incident definition: a security event that compromises the CIA triad (confidentiality, integrity, availability) of an information asset
    • Breach definition: an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party
    • Reasons definitions exist include for cybersecurity insurance applications.
  • Information is based on details that have happened to other companies around the world; categorized by industry to help you assess your risk. Recommend using this along with the vulnerabilities database.
  • Find the report via Google search or the Verizon website at Verizon.com/DBIR.
    • The full version is about 100 pages with an executive summary of about 17 pages in length this year.
    • Also can get insider reports on particular industries.

Key Takeaways from 2024 Report

  • Breaches due to exploitation of vulnerabilities tripled.
  • Ransomware combined with extortion techniques was 32 percent of breaches.
  • Ransomware is a top threat across 92 percent of industries. (Time in your system can extend to several months and allow criminals to determine how much they can request)
  • Human element (including non-malicious errors) is 68 percent of breaches.
  • Errors increased to 28 percent of breaches.
  • Breaches involving a third party were at 15 percent (68% increase from 2023)
  • The biggest incidence of attack is system intrusion, then miscellaneous errors, and social engineering.
  • Interesting takeaways: a combination of ransomware and extortion,  elaboration on the formula attackers use to calculate ransom to ask for (between .13 to 8.3 percent of revenue), and highlighting escalating third-party risk.
  • Main reason for attacks is financial gain.

Why do risk assessment?

  • Everyone should be working to improve their cybersecurity posture.
  • First things to do with limited budget are to focus on security awareness training and vulnerability scanning.
  • Of the five-step risk assessment process, DBIR serves to identify risks and analyze risks

Risk Mitigation Recommendations

  • Use CIS controls from Center for Internet Security: cissecurity.org
  • Implementation Groups based on level of need, from group 1 “foundation” (56 controls) group 2 (74 controls), and group 3 “sophisticated” (23 controls)

Top five attacks

  • Malware
  • Ransomware
  • Web application hacking
  • Insider privilege and misuse
  • Targeted intrusions

CIS controls to consider:

  • System intrusion and ransomware
    • Email and web browser protections
    • Malware defense
    • Data recovery
    • Security awareness and skills training
  • Social Engineering
    • Account management
    • Access control management
    • Security awareness and skills training
    • Incident response management
  • Errors
    • Data protection
    • Vulnerability management
    • Security awareness and skill training
    • Application software security

Will never be 100 percent protected but pay attention to DBIR because:

  • The more you know about cyber threats you face, the better your chances of keeping your data secure.
  • Helps you learn where to focus your attention.
  • The report is interesting as well as valuable.
Speak to one of our professionals about your organizational needs

"*" indicates required fields