Now that Verizon’s Data Breach Investigations Report is released and 2021 has come to an end, it’s time to look over the report and analyze its findings. As one of the most comprehensive cybersecurity reports published online, individuals and businesses can use it to anticipate data breaches and take steps to stop them from happening.
That’s what you’ll get out of this guide, which aims to explain the report and what it discovered, all in plain English. From there, we can use that information to explain what you need to know and the changes you need to make if you’re running a business. Naturally, we can’t regurgitate the entire report for you, so we’ve picked out the most important things that you need to know.
To better explain some of the concepts covered on this page, we have included links to supporting material. We can’t cover everything and others have covered related cybersecurity concepts in more detail. Providing references doesn’t just show our information to be accurate, it also gives diligent readers more to read when studying cybersecurity and how to safely conduct business online.
Let’s start by explaining what the report is, for those who are new to it.
- What Is The Annual DBIR Report?
- 2021 DBIR Report
- How Your Business Can Learn From This
- What Steps To Take Next
What Is The Annual DBIR Report?
We need to cover what the DBIR is before we get too deep into its subject matter. Every year, Verizon releases its Data Breach Investigations Report online to the public, mainly so that businesses can use its findings.
As one of the largest telecommunication companies in America and one of the country’s top Internet service providers, they are a perfect source of cybersecurity threat analysis and prevention.
It does this by surveying data security incidents over a year, focusing on data breaches, how they happened, and which precautions can stop them from happening again. It is a great resource for measuring how well (or how poorly) the online world is fending off cybercriminals and unethical hacking practices.
The DBIR was started in 2008 by RISK, Verizon’s ‘Research, Investigations, Solutions, Knowledge’ team. This team, embedded within Verizon’s Enterprise Services division, uses data from the company and many collaborators to reach their findings. We have more on the DBIR contributors below.
The DBIR covers more than just America, however, with 88 countries participating in this year’s report. Taken directly from the start of the 2021 DBIR, here are some important facts that will help you understand the scope of this report:
- The report was formed in collaboration with 83 contributors, ranging from companies like Dell and Kaspersky to government bodies like the FBI’s Internet Crime Complaint Center and the U.S. Secret Service, along with European and Australian authorities.
- Exactly 79,635 incidents were identified and studied during 2021, the year that the report concerns itself with.
- Of those, 29,207 met Verizon’s quality standards to ensure they were working from verified incidents with actionable data. This is done through the VERIS framework – the Vocabulary for Event Recording and Incident Sharing.
- Of those verified, high-quality incident reports, 5,258 of them were confirmed to be data breaches.
The report then goes into detail about these breaches and what happened during them, so that businesses can improve their cybersecurity for the new year. Now that 2022 is upon us, it’s important to take stock of your own online presence.
If you are vulnerable to cybersecurity breaches, whether it’s as an individual or a business owner, then now is the time to take precautions against hacking.
Common vectors of attack include:
- Physical theft of cybersecurity assets
- Denial of service attacks
- Web application attacks
- Point-of-sale intrusions
- Payment card skimmers
- Human or technical error
Before we start looking at the contents of the report, we should clarify three terms. Three terms come up often in the DBIR and are instrumental to the VERIS verification framework, so knowing them is important.
- Action: The tactics used to gain access to and affect data assets. VERIS details seven different threat actions – Error, Environmental, Hacking, Malware, Misuse, Physical, and Social.
These categories cover everything from technical details to social attacks, where a human is manipulated into acting in a hacker’s favor.
- Threat Actor: The threat actor is the person or persons behind a data breach event. In most cases, they are the bad guys that you want to keep out of your data. They can be individual cybercriminals or acting on behalf of other organizations/nations.
- Variety: Further breaking down actions or threat actors into specific sub-types, such as identifying how an action occurred or whether a threat actor belongs to certain groups.
The DBIR’s own example explains that hacking is a very broad action – it can be broken down into subcategories like brute-forcing passwords specific code injection techniques.
2021 DBIR Report
Now that we understand more about the DBIR, we can start breaking down this report to find the most relevant conclusions for the average person.
Data Breaches Have Increased
One of the main findings of this year’s DBIR is that from 2020 to 2021, the number of data breaches has increased.
In 2020, 3,950 data breaches were verified using Verizon’s own VERIS framework. As we have already covered, 2021 had 5,258 verified data breach cases. That makes for a difference of 1,038 incidents over the last year.
This shows an increasing trend in cybersecurity attacks, which isn’t surprising in an increasingly digital world where everybody can access the Internet. We create and store more data than ever before, so there will be more people who wish to access that data for personal gain.
There is also a difference between the 2020 and 2021 report and how it is classified. Ransomware was separated from data breaches in the 2020 report but ransomware attacks that facilitate data exfiltration (read: data theft) are now counted as data breaches.
They are also on the rise, making the upward trend of data breaches stronger.
With data exfiltration capabilities, ransomware can hit all three parts of the CIA triad:
Confidentiality dictates who has access to which information or data assets. All private data should be granted on a need-to-know basis so that data available to some isn’t accessible by others. Data classification policy is key to preventing it from falling into the wrong hands.
Assets need to be properly classified so that they aren’t allocated to people who don’t need them. At best, it would be an embarrassing mistake. At worst, you’ve given sensitive data to people who will sell it or use it to harm your business.
Naturally, the more critical data is available to the fewest people and should be the hardest to acquire.
Confidentiality is supported by systems that identify, authenticate, and authorize the access and removal of data by the individuals that have access to it. Unfortunately, ransomware can force users to hand that data over.
Integrity is needed to make sure that information isn’t tampered with, which most often happens when it gets moved around. Where data is stored, it needs to be protected through access controls outlined under confidentiality and there should be clear procedures for securely storing or moving data.
One of the most popular ways to secure data is through hashes. One-way hashes assign a hash to data before transit, which is sent along with the contents of the message. Then, with the recipient, their own hash must match the hash of the incoming message to verify its integrity.
Availability is another target to hackers, most commonly in the case of distributed-denial-of-service attacks, called DDoS. These attacks can limit service or an organization’s ability to carry out its work.
In worse cases, they can knock out systems and allow the hacker to compromise the confidentiality or integrity of data more easily.
Natural occurrences can also create availability weaknesses, such as natural disasters, and they can then be exploited by cybercriminals. That’s why fault-tolerant systems that will work through disasters and other distractions are so important.
To maintain availability, many places use hot, warm, and cold backup sites. Hot sites are where business can be conducted with the ability to immediately recover from disaster and other availability disruptions.
Cold sites are spaces that are empty but the infrastructure can be added after disruption, turning it into a hot site. Naturally, warm sites are somewhere in-between, being kitted out but still requiring preparation for a switchover.
Report Impact Analysis
So, the number of data breaches has increased due to how the report is compiled and the realities of an increasingly technological population. The number of data breaches doesn’t communicate their impact, however, and that’s why this year’s DBIR added a section on how the incidents impacted organizations.
To gauge the impact that cybercrime incidents had on businesses, data from the FBI Internet Criminal Complaint Center was used (abbreviated to FBI IC3). In the report, incidents are broken up into three distinct categories:
- Business Email Compromise (BEC)
- Computer Data Breach (CDB)
Fortunately, many incidents in each category did not result in any financial loss for the organizations involved. For BEC incidents, 42% of compromises did not lose money, making it the most impacted field.
CDB and ransomware incidents were much less expensive, with 76% and 90% of incidents managing to protect financial assets, respectively.
It should be noted that losses weren’t consistent due to the nature of unethical for-profit hacking. It turns out that even criminals have good business sense since they don’t ask for too much.
If a smaller company is compromised, the cybercriminals typically ask for less. If a larger company is compromised, the cybercriminals ask for way more because they know the organization can foot the bill.
Here’s a rundown of how much money was lost in 95% of each type of data breach incident:
|Incident Type||Median Loss||Range Of Loss|
|Business Email Compromise (BEC)||$30,000||$250 – $985,000|
|Computer Data Breach (CDB)||$30,000||$148 – $1,600,000|
|Ransomware||$11,150||$70 – $1,200,000|
This seems to indicate that organizations are refusing to pay in ransomware cases, which is why 90% of incidents don’t result in money loss and the median money loss is less than BEC and CDB cases. We don’t blame them – there is no guarantee they’ll get the data back.
Side note: some of the data is based on individual cases too and, while the scope of the DBIR is very broad, it isn’t detailed enough to distinguish between the two. It is also possible that larger ransoms may have been underreported, either to save face or because it would put the organization at risk of bad PR.
The impact of these incidents is often mitigated by the RAT, the Recovery Asset Team belonging to the FBI IC3. This team specializes in freezing and recovering lost funds after a data breach has been identified.
Thanks to the RAT, 99% of US-based BECs either recovered the cash or at least froze it, stopping the hackers from profiting.
There are other costs associated with data breaches besides what may be stolen. In most cases, digital forensic work is required to figure out what happened and find who is responsible.
If the organization discovers who was responsible or has patrons that have been harmed by the breach, they’ll also require legal counsel. Those services don’t come cheap!
Based on data from cyber insurance claims, 50% of incidents don’t rack up any forensic costs. Where those costs were present, 95% of costs fell between $2,400 and $336,500.
As for legal costs, 36% of incidents didn’t require any. Of the ones that did have costs, 95% of the legal bills fell between $800 and $54,000.
Insurance data may be biased if the plan covers forensics but does not cover legal costs. It is also impossible and impractical to fully analyze the insurance situation for every case that passes the VERIS framework.
Next, let’s go to the stock market to see what the DBIR says about company market performance after a reported data breach. Breached companies on the NASDAQ underperformed by approximately 5% for the six months after the incident.
With that said, 95% of companies ranged from 48% underperforming to 39% overperforming, so it really depends on the company and the investor base behind them.
Lastly, as we hinted at above, there is a reputation cost to suffering from a data breach that gets widely reported. If the organization handles the data of customers and clients, a serious data breach can be devastating for business.
Most Breaches Are Human
Most breaches are human – what do we mean by this?
The DBIR found that 85% of breaches involved a human element that commenced, facilitated, or executed data breach incidents. That shouldn’t be surprising, given that we are talking about people stealing other people’s data, but some assume that lines of code do the heavy lifting more than human beings.
30% of data breaches involved the use of social engineering to manipulate people. Such manipulation is typically based on tricking the target into disclosing information that gives attackers access to data, like figuring out somebody’s password by looking at their hobbies and how they live their life, to give a rudimentary example.
Phishing is a popular method among cybercriminals. The click rate of these emails, where an employee mistakes the email as legitimate, varies significantly. The median click rate is 3% but it can be much higher in unprepared companies with untrained employees. The quality of the email is also important, the DBIR found.
It’s much easier to target and simulate a user’s credentials than breaking into the system with a hack. The gathering and selling of stolen password information is a lucrative business – one that allows hackers to obtain credentials and log into systems where they shouldn’t be.
This often slips through security because, to the system, they appear to be an authorized employee.
Remote Work Increased Cyber Incidents
Over the last two years, we have witnessed unprecedented changes to the world in the wake of the COVID-19 pandemic. Part of this was the push for employees to work from home to limit viral spread.
In doing this, organizations leaned on digital systems more and employees were largely responsible for keeping their own devices safe from being compromised.
Having mentioned phishing above, many phishing campaigns used the pandemic by mimicking government or medical institutions. Data and assets stored in the cloud (like AWS) became more of a target than on-premises devices, too.
On page 47, the DBIR explains that they expected to see an increase in misuse from home as a cause for data breaches. This was most common in the medical field but the increase didn’t show remote access as a vector for data breaches.
It may have been left out as a consideration by the contributors reporting breaches since not all organizations will know if an employee’s device has been compromised.
The Most Targeted Data
Also on page 47, we are introduced to a breakdown of the most targeted data types. There are eight data types identified in the DBIR:
These are ordered in how targeted they were, too. Personal data was the most targeted in privilege misuse cases, to the tune of over 60%. From there, medical information counted for approximately 30% of targeted data, and it has probably become easier to access for hackers throughout the pandemic.
Payment and credential details were the least targeted, orbiting 5%, but it should be noted that this data is the most secure. These numbers are also for misuse breaches, which are underrepresented for hacks targeting payment and credential information.
If an operation is sophisticated enough to target payment systems, it’s beyond relying on somebody misusing their access privileges. Most cybercrimes are financially motivated – it’s much more likely that a crook wants your credit card information instead of a foreign government spying on you.
The Most Targeted Industries
The DBIR also highlights which industries suffered from the most cybersecurity incidents over the year. On page 65 of the report, they have included a table that details many industries and the number of incidents/breaches that took place, along with their size.
Ignoring categories like “Unknown” and “Other Services” that don’t really tell us much, the most targeted industry was Entertainment at 7,065 incidents verified under the VERIS framework.
6 small companies and 1 large company were registered, with the other 7,058 being unknown in how small or large the organizations were.
Here is a rundown of the top five most targeted industries, by reported incidents:
- Entertainment – 7,065
- Public – 3,236
- Information – 2,935
- Professional – 1,892
- Education – 1,332
The Most Breached Industries
In that same table, the DBIR details how many breaches occurred. Cybersecurity incidents and data breaches aren’t the same occurrences, so it’s important to make the distinction between the two. While the entertainment industry was the victim of the most cybersecurity incidents, it only suffered 109 data breaches.
Here are the top five most breached industries:
- Public – 885
- Professional – 630
- Healthcare – 472
- Finance – 467
- Information – 381
How Your Business Can Learn From This
So, that’s the rundown on Verizon’s latest Data Breach Investigations Report, or at least the most important parts for business owners right now. They cover a lot in their report, as you can imagine, so consider checking out the report for more details.
For now, it’s time to figure out how your business can learn from this report.
Here are some suggestions that can help curtail many of the issues we have covered above.
- First, our briefing of the report should help you think like a cybercriminal. Analyze your organization as if you were a hacker looking for soft spots. If you identify delicate areas, you should put more security in place.
- Build your cybersecurity apparatus to be person-based, heading off errors and misuse. Employees should be trained to handle data with care, especially those with special access privileges.
- Keep the CIA triad in mind when investing in cybersecurity. Your data should be protected by systems that encourage confidentiality, integrity, and availability.
- Invest in the cloud – it seems to be the future of data storage because of its portability and convenience. Unfortunately, this also makes it ripe for cyberattacks as the data can be remotely accessed from isolated work-from-home employees and unsecured Internet connections.
- Limit those work-from-home opportunities, if feasible. This is especially important for those who have special access privileges.
- If your business ever suffers from a cyberattack, you should report it ASAP. This gives the best chances of stopping the hack and recovering any lost data or funds. Otherwise, you can end up losing money in the hack and spending more on digital forensic, recovery, and other legal costs.
- Set aside a war chest for dealing with costs from a cyberattack, if it’s a big concern. This can be a few hundred dollars or a few hundred thousand, depending on the size of your operation.
Along with doing these things, you should re-evaluate your business from the ground up. This involves creating a stringent access management system that makes sure only trusted individuals who take data security seriously have access.
Third-party access should be heavily monitored and restricted for data that cybercriminals would kill to get a hold of.
Similarly, shared credentials should be reviewed often and separated if any of the people with access to them leave the organization. As we alluded to already, cloud storage should be secured if that’s what your company is using, too.
Once access security has been improved, you should also review any applications and APIs that your organization uses. These often come with flaws, exploitations, and backdoor hatches that the more sophisticated cybercriminals can use to gain access to certain data.
Remember that even some of the more popular applications can be compromised.
What Steps To Take Next
Maybe you already have most of the above suggestions covered and you’re looking for something more actionable. If that’s the case, let’s finish off this report analysis with some of the steps you can take next to beef up your organization’s cybersecurity.
Get A Firewall
Getting a firewall is one of the most popular ways to secure IT infrastructure. If you weren’t aware of them (or are but don’t know what they do) they manage your network and its connection with the wider Internet. Think of it as a pool walled off from the ocean, so nothing from the outside can come in.
Any threat actor with an Internet connection can hack you, theoretically speaking. With a firewall, you can stop unverified users from getting into your organization’s network and accessing its devices. While regular network penetration testing is the security standard, a good firewall is the first step for new businesses.
Nowadays, having a firewall is essential for companies that do business online and store data on devices that are online-capable.
They work for both individuals and entire organizations. In fact, there’s every chance you have a firewall on your desktop computer at home, right now. If it’s good enough for our personal computers, there’s no reason not to get one for your organization.
There is a problem here, however. Most personal-use firewalls can be acquired for free but, for a sophisticated firewall that covers multiple devices, you may need to pay.
Re-read our section on the potential costs of experiencing a data breach and decide if it’s worth the cost – in most cases, it absolutely is. Once acquired, it needs to stay activated and updated.
Get Cybersecurity Help
Since you’re here, you are probably not a cybersecurity expert. Fortunately for you, there are many cybersecurity experts out there who can help. While most of them will charge for their services, a cybersecurity expert can test your network, mobile apps and APIs and scan for vulnerabilities.
There is a community of cybersecurity experts who get paid to break into businesses, test out their systems, and identify flaws in them. Getting a cybersecurity professional to look around your business is invaluable. They can give you relevant, specific help to keep your organization’s data secure.
They can also provide literature or in-person training to employees, guaranteeing that they act responsibly with the data that has been entrusted to them. As always, risk-based threat management dictates that the more important team members with the most data access need to be taught this more than the average worker.
If you have the funds, you can even use trusted and verified cybersecurity vendors to outsource your data protection. The good news is that these are pros who know what they are doing. The bad news is that your data is in their hands, which could be lost if the cybersecurity providers are themselves breached.
With that, we come to the end of our analysis of the Data Breach Investigations Report. This 2021 report was an important one, coming after two years of a pandemic. While the 2020 report was limited, the 2021 report benefits from the ability to track how cybersecurity has changed across 2019, 2020, and now 2021.
We hope that you’ve found the information here valuable. It can be difficult to crack the DBIR and, even if you can, not everybody has the time to sit around and read a 104-page report (not including appendices!)
By reading and understanding how data breaches have occurred in this past year, along with where they occurred and how you should be able to fend them off more effectively. Most data protection is risk-based, meaning you cover the most likely targets first and work backward from there.
You should keep that in mind when taking steps to bolster your security when online.
Even then, remember that with statistics, you and your organization can always be the outlier. Knowing the lay of the land is invaluable for business owners in the digital age.
After reading this page, you should be better equipped to keep your data safe and stop would-be cybercriminals at the threshold. That is, until next year’s report, where we’ll see how much the cybersecurity landscape has changed.