Across Europe, the Middle East and Africa (EMEA), organisations must up their game when it comes to addressing the human factors leading to data breaches and cyber security incidents, according to telco Verizon, which this week issued a wake-up call in the form of the 17th annual edition of its landmark global Data Breach Investigations Report (DBIR)
In the compilation of the DBIR – which can be downloaded to review here – Verizon analysed 8,302 security incidents in the region, of which 72% were confirmed breaches, and found that just under half – 49% – of these originated internally, pointing to a high degree of human error and other slip-ups, such as privilege misuse, prompted by a lack of awareness or training.
Indeed, in confirmed cyber security incidents, Verizon found three factors to be behind 87% of breaches – miscellaneous errors, system intrusion, and social engineering. This percentage was about the same as last year’s figure, with one “potential countervailing force” identified by Verizon being an apparent improvement in reporting practice – more people now seem to be able to spot a phishing email and more people are reporting them.
Globally, a total of 68% of breaches – whether they included a third-party or not – involved a non-malicious human action, which is to say someone made a mistake or fell victim to a social engineering attack
“The persistence of the human element in breaches shows that organisations in EMEA must continue to combat this trend by prioritising training and raising awareness of cyber security best practices,” said Verizon Business vice president of EMEA, Sanjiv Gossain.
“However, the increase in self-reporting is promising and indicates a cultural shift in the importance of cyber security awareness among the general workforce.”
Zero-days a persistent threat
Even so, the prevalence of human-induced breaches in the data should not mask other critical threats. Globally, the exploitation of vulnerabilities as an initial entry point by malicious actors in the reporting period (November 1 2022 to October 31 2023) increased since last year, accounting for 14% of all observed breaches that the Verizon team tracked.
The spike was driven by the scope and increased volume of zero-day exploitation by ransomware actors, notably the MOVEit file transfer breach that unfolded in May and June of 2023, and saw mass exploitation by the Clop/Cl0p ransomware gang, likely enough to skew the statistics somewhat.
“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to enterprises, due in no small part to the interconnectedness of supply chains,” said Alistair Neil, EMEA senior director of security at Verizon Business.
“Last year, 15% of breaches involved a third party, including data custodians, third-party software vulnerabilities, and other direct or indirect supply chain issues.”
Verizon noted that on average it takes organisations about 55 days to remediate 50% of critical vulnerabilities – which may or may not be zero-days – once patches become available, while mass exploitation of the most serious vulnerabilities can take as few as five days. This is based on an analysis of the widely-used Cybersecurity Infrastructure and Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) catalogue.
Industry reaction
As always, the Verizon DBIR was hotly-anticipated in the security world, and much debated following its release. Among those commenting on Verizon’s findings was William Wright, CEO of Closed Door Security, a Scotland-based managed security services provider (MSSP), who said that despite the constant drumbeat of high-profile breaches, organisations were clearly very far from cyber maturity.
“The Verizon DBIR shows it’s the still the basics security errors putting organisations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams,” said Wright. “This needs to change as a priority because no business can afford to gamble or take chances with cyber hygiene. Just look at Change Healthcare, the breach was executed via an unsecured employee credential and the organisation is now facing over a billion in losses. No other organisation wants to find itself in this position.”
“Organisations instead must adopt processes where patches are applied frequently and critical vulnerabilities receive immediate updates, even if they are outside of regular patch windows. Employees must be trained regularly and MFA must be adopted to increase defences against phishing. This also must be thoroughly tested to ensure there are no gaps that could put a business at risk,” said Wright.
Saeed Abbasi, manager for vulnerability research at Qualys, said the surge in vulnerability exploitation was of particular concern, and highlighted the need for urgent and strategic management.
“We advise organisations to implement comprehensive, proactive strategies, including agent-based and agent-less security measures, to pre-empt potential breaches. Additionally, organisations require a multi-layered defence strategy, integrating advanced detection tools, zero-trust frameworks, and rapid patch management,” said Abbasi.
“Given the increasing complexity and interconnectedness of supply chains, this holistic approach to cyber security is essential. These networks are often targeted by cyber threats, affecting not just individual organisations but also extending to third-party interactions and the broader supply chain.”
Others also picked up on the issues around vulnerability exploitation surfaced in the Verizon DBIR. J.J. Guy, CEO of Sevco Security, an exposure management platform, said the solution to growing exploit volumes was not a security problem, rather an organisational one.
“CISOs are accountable for the security of the enterprise network, but do not have the authority or responsibility for either maintaining the inventory of assets on that network or the remediation of vulnerabilities on those assets,” said Guy.
“No one should be surprised that a dysfunctional organisational model leads to poor results and 10% of the most critical, actively exploited vulnerabilities as tracked by CISA are still unpatched after a year. Organisational leaders must either align accountability and responsibility for these critical activities, or IT and security teams need better tools to collaborate across department lines.”
And Kevin Robertson, COO at Glasgow-based MSSP Acumen, had harsh words for one organisation in particular.
“Criminals are clearly banking on zero-days to launch attacks on businesses, often relying on delays in organisations’ patching windows. Microsoft must take responsibility for this, otherwise, it’s their valued customers that are suffering the real consequences,” he said.