Good bit of analysis by my friends at IT Governance. TL;DR – It’s all about the money…:
Contrary to what you might have heard, cyber criminals pose a much bigger threat to organisations than employees.
This is the stand-out finding in Verizon’s 2020 Data Breach Investigations Report, debunking speculation that internal actors should now be organisations’ top priority.
The confusion perhaps stems from the fact that incidents involving malicious or negligent insiders have doubled in the past year – from 424 to 881.
However, Verizon believes this is largely because organisations are doing a better job reporting such incidents.
Even with more rigorous reporting, the report found that 70% of security incidents were caused by external actors. These are most likely to be organised crime gangs, although some sectors are also likely to be targeted by state-sponsored attackers.
Attackers are financially motivated
Verizon found that, across both internal and external threat actors, attacks are primarily motivated by financial gain, with 86% of attacks resulting in fraud or information being sold on the dark web.
By contrast, two of the other commonly discussed motives for attacks – revenge and politics – accounted for an almost negligible number of incidents. These are so rare that information is more likely to be breached as a by-product of another attack.
So how exactly do criminals turn their attacks into profit? Two thirds of incidents were the result of employee error – most likely a case of scammers tricking recipients into clicking a link in a phishing email.
Web applications are another frequent target, with cyber criminals exploiting vulnerabilities that are often caused by employees failing to secure systems. These types of attack occurred in 43% of breaches, more than double last year.
Meanwhile, there was a significant decrease in malware attacks, which for some may come as a major surprise. Malware has historically been practically synonymous with cyber crime, because it is traditionally the most effective way for criminals to compromise an organisation’s systems.
However, Verizon notes that – at least when it comes to less sophisticated attacks – malware tools are no longer necessary when you can get people to hand over their information with a well-crafted phishing email.