Watch: What the 2022 Verizon Data Breach Investigations Report Means for Your Business

Date May 25, 2022
Article Authors

Highlights from the May 25 HBK Risk Advisory Services webinar featuring William J. Heaven, CPA/CITP, CISA, CSCP; Senior Director, IT.

This year is 15th consecutive year Verizon has released the DBIR. The 2022 report was released May 24, 2022.

  • Expanded in 2021 to cover 20 industries.
  • Includes 87 contributing organizations wither impacted by breach or had clients impacted by the breach.
  • 2022 report examines 23,896 incidents and 5,212 confirmed data breaches.
  • Types of breaches include:

  • Denial of service: hackers sending large amounts of data to compromise the availability of your networks and systems
  • Lost and stolen assets: information missing through misplacement or malice
  • Miscellaneous events: unintentional actions that compromise a security attribute of an information asset
  • Privilege misuse: unapproved or malicious use of legitimate privileges
  • Social engineering: altering a person’s behavior into taking action of breaching confidentiality; a major issue
  • System intrusion: complex attacks that leverage malware or hacking to achieve objectives including deploying ransomware
  • Web applications: gaining access, stealing data, and moving one
  • Everything else: a catch-all category for incidents that don’t fit in the other categories
  • Terminology:

  • Incident: a security event that compromises, the integrity, confidentiality, or availability of an information asset; not a breach until they take possession of the data
  • Breach: confirmed disclosure of data by an unauthorized party
  • Most common types of breaches by industry sector

  • Financial and insurance: miscellaneous errors, system intrusion and web applications
  • Healthcare: miscellaneous errors, system intrusion and web applications
  • Manufacturing: social engineering, system intrusion and web applications
  • Retail: social engineering, system intrusion and web applications
  • Most common incidents by industry sector:

  • Financial and insurance: miscellaneous errors, system intrusion and web applications
  • Healthcare: miscellaneous errors, social engineering, system intrusion and web applications
  • Manufacturing: social engineering, system intrusion and web applications
  • Retail: social engineering, system intrusion and web applications
  • The DBIR is important because the more you know about the cyber threats you face, the better your chances of keeping your data secure. Whether an organization will be attacked is unpredictable. You also have a common language and helps you to report consistently. Also provides links to other useful databases.

    You can get the Verizon DBIR through Verson.com/dbir: the full report, which is 108 pages, or an executive summary, which is 20 pages. You can view the report online or download it. The executive summary provides a great deal of information, and you can go to the full report to look deeper into something specific.

    Key paths to your data. Need to address all of these:

  • Credential theft: about 50 percent of total attacks
  • Phishing: 18 percent, but often steal credentials by phishing
  • Exploiting vulnerability: 10 percent
  • Botnets: small portion of hacks
  • Major takeaway from DBIR: ransomware continued its upward trend, currently 25 percent of all breaches, a 13 percent increase over 2021, and as many as the previous five years combined.

    Supply chain breaches can be a force multiplier, and were 61 percent of this year’s report incidents. Try to vet third party vendors to ensure they are as secure as possible.

    Errors accounted for 14 percent of all breaches. They are starting to level out. But humans remain weakest link in protection chain. Human element is responsible for 82 percent of breaches.

    The gap between large and small companies is closing. Payoffs are not as great from small companies but easier for hackers. Ransomware and phishing are having the biggest impact on small businesses.

    Attack pattern summary for selected industries:

  • Financial and insurance: miscellaneous errors, social engineering, and web applications
  • Healthcare: miscellaneous errors, system intrusion, and web applications
  • Retail: social engineering, system intrusion, and web applications
  • Financial gain is the main actor motivation. Threats are coming more from external actors than internal, though internal threats are more prominent in healthcare and financial services than other industries due to curiosity about certain individuals who are patients or clients.

    Every business should do a risk assessment at least annually. The DBIR will help you identify and analyze your risks.

    The top 18 CIS controls are available free for risk mitigation. The DBIR provides a priority list of controls by industry. Security awareness training is one of the easiest ways to prevent system breaches to help create an environment of skepticism. Make sure you create user awareness, have data backed up, and patch your vulnerabilities.

    The most interesting aspects of the 2022 DBIR are the details on ransomware and the fact that with migration to the cloud you have to keep an eye on what’s going on there.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields