Top 10 Takeaways: Verizon 2023 Data Breach Investigations Report

A good look at one of the industry’s most trusted annual cybersecurity reports will tell you attackers are stepping up their game — and leaning into what works. 

The Verizon 2023 Data Breach Investigations Report analyzed 16,312 security incidents and 5,199 breaches this year, crunching the numbers to find the patterns. From the soaring cost of ransomware to a staggering trend towards financially driven social engineering ploys, it’s obvious that threat actors aren’t pulling back.  

The adage “it’s not if, but when” has never been more applicable when considering the possibility of a cyberattack. Assuming a breach is going to happen, being aware of common tactics and fortifying with the right solutions is the best any organization can do to stay ahead of sneaky attack trends. The better a company understands the most recent threat vectors, the better they can inoculate against a breach. 

Here are our top 10 takeaways from the Verizon 2023 DBIR: 

1. 50% of all social engineering incidents in 2022 used pretexting | Pretexting is an invented scenario that tricks someone into giving up information or committing an act that may result in a breach. According to the report, pretexting attacks have nearly doubled since last year, as seen in cases of business email compromise (BEC). Recently, the FBI 2022 IC3 Report revealed that BEC-related losses totaled a staggering $2.7 billion dollars in 2022 (no less than 78 times the losses related to ransomware).  

2. 62% of all incidents by organized crime utilize ransomware | In most cases of compromise by organized crime, the threat actors leveraged ransomware to get their money’s worth out of a company’s data. Data is today’s currency, and the assumption is that an organization will pay more to get it back than the gang can sell it for on the Dark Web. Not only accounting for nearly a quarter of breaches total (organized crime or not), ransomware was also present in 15.5% of all incidents, moving it up to the second spot.   

3. 32% of all Log4j vulnerability scanning occurred int the first 30 days after release | This indicates how fast Log4j goes from POC to mass exploitation, and the consequences are alarming. Given a criticality score of 10, this vulnerability compromised a lot of companies with its velocity, given that the median time to patch for most organizations is 49 days for critical vulnerabilities. 

4. 83% of all attacks are external threat actors | While internal threats are always prevalent, the vast majority came from outside the network this past year. Verizon states that this percentage, while vastly skewed towards external threat actors, has been consistent since they started the DBIR 16 years ago. 

5. 74% of all breaches include the human element | This includes human participation through error, privilege misuse, stolen credentials, or social engineering. Tactics include manipulation, deception, intimidation, and more, underpinning the need for both automation and user training to reduce the likelihood of faulty human involvement.  

6. 49% of breaches by external actors involved use of stolen credentials | The top three ways in which attackers entered the enterprise this past year were via stolen credentials, phishing, and exploited vulnerabilities, in that order. Pilfered passwords made up the lion’s share, while phishing accounted for 12% and exploited vulnerability techniques took in 5%. 

7. 95% of breaches are financially motivated | It appears very few do this gig for free: in 2022, the vast majority (95%) of attacks were motivated by financial gain. As the report states, this flies in the face of notions that politically targeted nation-state attacks are taking on a significant piece of the pie. Espionage only accounts for 4%, while the remaining 1% hacks for the love of the game (“fun” as described in the DBIR). 

8. Beware of basic web application attacks | It doesn’t take much. A simple exploit can be equally effective as a complex one, which is why basic web application attacks rank in the top three attack patterns of this year’s DBIR. It can be as easy as a brute-forced password — no fancy malware necessary. These attacks thrive on loosely protected and poorly picked passwords. 

9. Social engineering attacks are alive and well | The fact that BEC (or pretexting) ploys nearly doubled from last year caused social engineering incidents overall to rise. The money may have helped, too: over the past couple of years, the median amount gained in these attacks has risen to reach $50,000 per incident.  

10. System intrusion is the #1 attack pattern | For the second year running, system intrusion takes top spot in attacks against Accommodation and Food Services companies. It also ranked high in crimes against Education, Finance and Insurance, Healthcare, Information, and...in short, it is the number one most employed attack patterns of 2022. System intrusion is a complex attack using malware, ransomware, and other hacking techniques and is commonly leveraged by “more dedicated criminals.” It looks like hard work and dedication pay off in any field.  

If there’s one thing the 2023 DBIR shows, it’s the importance of anticipating diverse attack vectors. While there are patterns to follow, threat actors will use any means necessary to creatively breach data. Therefore, a well-defended organization will have diverse measures of defense. 

Fortra’s unmatched portfolio helps secure companies against the unexpected, the complex, and the everyday security issues that get in the way. From password protection and ransomware defense to offensive security measures and security awareness training, Fortra has bundled security solutions to fortify your organization against data breaches, no matter the method of attack.