Highlights from the May 25 HBK Risk Advisory Services webinar featuring William J. Heaven, CPA/CITP, CISA, CSCP; Senior Director, IT.
This year is 15th consecutive year Verizon has released the DBIR. The 2022 report was released May 24, 2022.
Types of breaches include:
Most common types of breaches by industry sector
Most common incidents by industry sector:
The DBIR is important because the more you know about the cyber threats you face, the better your chances of keeping your data secure. Whether an organization will be attacked is unpredictable. You also have a common language and helps you to report consistently. Also provides links to other useful databases.
You can get the Verizon DBIR through Verson.com/dbir: the full report, which is 108 pages, or an executive summary, which is 20 pages. You can view the report online or download it. The executive summary provides a great deal of information, and you can go to the full report to look deeper into something specific.
Key paths to your data. Need to address all of these:
Major takeaway from DBIR: ransomware continued its upward trend, currently 25 percent of all breaches, a 13 percent increase over 2021, and as many as the previous five years combined.
Supply chain breaches can be a force multiplier, and were 61 percent of this year’s report incidents. Try to vet third party vendors to ensure they are as secure as possible.
Errors accounted for 14 percent of all breaches. They are starting to level out. But humans remain weakest link in protection chain. Human element is responsible for 82 percent of breaches.
The gap between large and small companies is closing. Payoffs are not as great from small companies but easier for hackers. Ransomware and phishing are having the biggest impact on small businesses.
Attack pattern summary for selected industries:
Financial gain is the main actor motivation. Threats are coming more from external actors than internal, though internal threats are more prominent in healthcare and financial services than other industries due to curiosity about certain individuals who are patients or clients.
Every business should do a risk assessment at least annually. The DBIR will help you identify and analyze your risks.
The top 18 CIS controls are available free for risk mitigation. The DBIR provides a priority list of controls by industry. Security awareness training is one of the easiest ways to prevent system breaches to help create an environment of skepticism. Make sure you create user awareness, have data backed up, and patch your vulnerabilities.
The most interesting aspects of the 2022 DBIR are the details on ransomware and the fact that with migration to the cloud you have to keep an eye on what’s going on there.