The Verizon Data Breach Investigations Report (DBIR) is one of the cybersecurity industry’s most comprehensive reports, analyzing the prevalence, type, and causes of data breaches over the past year. It is a good source of threat intelligence for businesses to identify current trends and methods used by bad actors and, in turn, to help develop and improve a security program to mitigate the risk of a breach. The 2024 DBIR highlights another busy year for cybercrime, analyzing 10,626 confirmed data breaches between November 1, 2022, and October 31, 2023 – which was a record high.
The DBIR identified a significant trend: a 180% increase in attacks involving the exploitation of system vulnerabilities as the pathway to initiate a breach. These system vulnerability breaches often involved what are known as “zero-day vulnerabilities” – meaning a previously unknown vulnerability in a system that is not yet patched. Systems are exposed until a patch is issued by the software provider and installed by the organization, and cybercriminals race to exploit the vulnerability during the window of exposure. Even after patches become available, the DBIR found that organizations generally take more than 30 days to implement the patch and remediate the vulnerability.
These vulnerability threats can be extremely disruptive, and costly, to business. The DBIR found that these attacks were primarily carried out by ransomware and other extortion-related threat actors. In other words, the criminals block access to the victim organization’s network and will only provide the “key” to unlock the system if a considerable sum of money – a ransom – is paid. According to the DBIR, in these ransomware/extortion breaches, generally the threat actors don’t care about the data in the system. Their goal is to force the victim organization to buy back access to its system. The DBIR reports that, according to ransomware negotiation data, the median ratio of requested ransom to company revenue was 1.34%, but in some cases it was as much as 24%.
The DBIR also highlighted two other trends in the factors that have been contributing to data breaches:
First, the DBIR found that a human element was a component of a majority – 68% – of breaches. For example, phishing remains a frequent source of data breaches. Phishing involves the threat actor sending fraudulent communications through email or text that appear to come from a legitimate source, with the goal of tricking the recipient into sending money under false pretenses or clicking on a link or opening an attachment that will inject malware into the network. The DBIR found that phishing attacks happen quickly: the time for users to fall for phishing emails is typically less than 60 seconds.
Second, the DBIR found a significant growth in breaches originating from a vendor that has connectivity to the victim organization’s systems, increasing from 9% to 15%. These breaches often occur because the third party’s application contains an exploitable vulnerability, giving the threat actors a pathway from the third party into the victim organization’s network.
The good news is that with the identification of these threat vectors, there are preventative steps that companies can take to mitigate the risk of a data breach. The DBIR provides some recommendations, examples of which include:
• Implementing a plan to promptly identify and patch software vulnerabilities.
• Establishing and maintaining a data recovery process, including performing automated system backups.
• Educating staff on security awareness, including to avoid falling for phishing schemes.
• Requiring multi-factor authentication for remote network access.
• Implementing and enforcing password length and complexity requirements, and requiring passwords to be changed on a periodic basis.
• Selecting vendors with strong security track records.
While not addressed in the DBIR, businesses should also consider cyber insurance. Even with precautions in place, a data breach may nevertheless occur. Businesses should therefore review their insurance portfolios to determine whether they have coverage for a data breach and speak with their insurance brokers about coverage options.
Finally, a positive note from the DBIR is that no data was found to suggest that the emergence of artificial intelligence is meaningfully contributing to or increasing the prevalence of data breaches or providing new means of attack – at least not yet. We will continue to monitor developments in that area and across the data breach landscape.
For further assistance please contact your primary Golenbock attorney or the attorneys listed below:
Martin S. Hyman (212) 907-7360
Email: mhyman@golenbock.com
Matthew Daly (212) 907-7329
Email: mdaly@golenbock.com
Golenbock Eiseman Assor Bell & Peskoe LLP
Golenbock Eiseman Assor Bell & Peskoe LLP is a Manhattan-based business law firm with a broad-based practice that offers corporate, complex litigation, labor & employment, real estate, reorganization, intellectual property, tax, and trust & estate expertise. The firm provides high value, sophisticated counsel and representation for its domestic and international clients while maintaining a hands-on, personalized approach to all matters.
The firm represents entrepreneurial, portfolio, and institutional clients, ranging from start-ups to Fortune 500 companies, with a specific focus on the mid-market segment. Among our clients are private corporations, public companies, private equity firms, venture capital firms, individual investors, and entrepreneurs.
Golenbock is a member of the Alliott Global Alliance, which was named to Band 1 of global law firm alliances by Chambers Guides, the prestigious international legal survey. Alliott numbers 215 firms in 94 countries on six continents, and helps member firms partner with others in countries around the globe.
Golenbock Eiseman Assor Bell & Peskoe LLP uses Client Alerts to inform clients and other interested parties of noteworthy issues, decisions and legislation that may affect them or their businesses. A Client Alert should not be construed or relied upon as legal advice. This Client Alert may be considered advertising under applicable state laws.
© GEABP (2024)