Cybercriminals are adopting new, more sophisticated tactics. Security leaders can't depend on purely technical solutions that ignore the human element. 

If there is one broad theme to Verizon's 2023 Data Breach Report, it's that the arms race between cybercriminals and cybersecurity professionals hinges on the human element more than ever. The report declares this clearly in its opening summary, saying that: 

• Nearly two-thirds (74%) of all breaches recorded either involved employee error, privilege misuse, stolen credentials, or social engineering. 
• Business email compromise attacks have nearly doubled across the entire incident dataset, and now make up more than half of social engineering attacks. 

• 83% of breaches involve external actors, and financial motivation is behind 95% of breaches. 
• Stolen credentials are the primary attack vector in nearly 50% of all breaches. Phishing is responsible for around 15%, and technical vulnerability exploits make up around 10%. 
• Ransomware is still one of the most prevalent cybersecurity threats encountered by information security teams across organizations of every size in every industry. 

Cybersecurity professionals are once again under pressure to adapt to a changing threat landscape. We've gone through Verizon's data and identified five core points security leaders need to internalize to guarantee consistent security performance moving forward. 

Five Core Findings from the 2023 Verizon 2023 Data Breach Report: 

1. You can't stop every internal error – but you can learn from them. 

Internal errors make up a small but significant number of overall breaches covered in Verizon's report. However, these security incidents have a much lower rate of disclosure than external cyberattacks. 

This isn't necessarily because security leaders intentionally try to cover up these errors – although some certainly do. It's also connected to the fact that many security teams simply don't have the visibility necessary to detect and respond to these kinds of incidents, whether they result in a breach or not. When internal errors go unnoticed, it's impossible for security leaders to meaningfully address them. 

The majority of internal errors come in three distinct flavors: 

• Misdelivery has risen significantly over the past two years. This kind of error occurs when someone accidentally sends sensitive information to the wrong recipient. Most of these errors are attributable to system administrators and software developers. 

• Misconfiguration is down significantly from its peak during the pandemic-fueled remote work frenzy of 2021. Many organizations are beginning to understand that plug-and-play software doesn't always meet complex security needs. They are beginning to invest significant resources into expert-led custom configuration projects.  
• Publishing errors have surged since hitting a low point in 2020. These errors are similar to misdeliveries, except they involve broadcasting data to the wrong audience which amplifies the risk involved. 

Not all internal errors lead directly to data breaches. However, organizations that can't detect and rectify these errors practically guarantee that at some point, sensitive data will end up in the wrong hands. 

2. Ransomware is here to stay, now paired with additional attacks 

Nearly a quarter of data breaches involve a ransomware step. The idea of a "ransomware step" is an important departure from the traditional categorization of "ransomware attacks" as being different from other types of cyberattacks. 

Now, cybercriminals are more likely to build complex, multi-tiered attack strategies where ransomware is just one of many ways they attempt to monetize stolen data.  

For example, if security teams successfully repel a ransomware attack with a secure backup system, cybercriminals may simply switch tactics, threatening to leak sensitive data unless they are paid. They may even go further, leveraging the data itself to compromise credentials, attack users, or target third-party partners. 

This means that ransomware is still a major threat, even to organizations with anti-ransomware defenses in place. Organizations of all sizes and industries can easily find themselves targeted by ransomware attacks and may be surprised to discover that the story doesn't end when the initial attack is remediated.  

According to the report, email is the top action vector for ransomware delivery, followed closely by desktop-sharing software and web applications. Together, these three account for roughly three-fourths of all ransomware attacks. 

Even organizations with robust ransomware protection can still find themselves targeted by attackers infiltrating email, remote desktop software, and web applications. If cybercriminals can't monetize the data one way, they'll simply try another. 

3. Malicious insiders are increasingly partnering with external threat actors 

Privilege misuse includes malicious insiders, and a significant number of these breaches involve multiple threat actors. Specifically, data breaches that combine privilege misuse with fraudulent transactions have surged in the past year. 

These findings suggest that cybercriminals are connecting with insiders and facilitating scams that target the organization in question. In some cases, organized crime groups have high-quality candidates apply to open positions, only to exploit the organization months or even years later. 

These operations span the range from elaborate long-term fraud to brazen one-time heists. Sometimes a malicious insider with the right privileges can simply redirect enormous amounts of money to a threat actor-controlled bank account and disappear before the organization notices. 

The thread that connects these different attacks is collusion. Often, malicious insiders can't siphon funds away from the organization without an external partner who can launder the money properly. This means that some level of cooperation between internal and external threat actors is necessary. 

No organization's onboarding process is perfect. Any employee can be (or turn into) a malicious insider. Deep visibility and comprehensive behavioral analysis offer organizations a way to detect these insiders and stop them before they complete their attacks. 

4. Financial gains motivate most cyberattacks, yet information security is still an afterthought 

Financial motivations are behind nearly 95% of all data breaches, which is in line with previous years. Espionage (either corporate or state-affiliated) is a far second. At the same time, organized crime groups are behind the majority of data breaches, which implies there is still good money to be made in cybercrime. 

This finding also puts pressure on organizations to pay greater attention to information security. While most organizations have made great progress in the last few years, it's clear there is still a long way to go. 

Several different factors may be holding organizations back from achieving true operational security excellence: 

• Complacence with compliance. Many security leaders hold fast to the idea that adhering to voluntary initiatives like the NIST Cybersecurity Framework ensures adequate protection against cybercrime risk. These frameworks are an excellent starting point for cybercrime risk management, but they don't provide the individualized guidance that organizations truly need. 
• Communication challenges. Executives and corporate stakeholders need to approve cybersecurity initiatives before security leaders can execute them. This means that the viability of any security initiative depends on how well it is communicated, and how strongly the evidence to support it is presented. 

• Security awareness training and user buy-in. Security policies only generate results when users actually comply with them. The more complex a policy is, the harder it is to reinforce among users who may not see the value of security-oriented processes – especially when unsecured shortcuts can potentially improve production. 

Security leaders are often held back by a lack of visibility into their own security processes.

To successfully attribute value to security initiatives, leaders need accurate, in-depth data about how those initiatives impact the organization's top and bottom lines. They must also improve policies by observing how individual users interact with them.

Learn more about the Lumifi.

5. Your organization's credentials should be protected like intellectual property 

Stolen credentials offer cybercriminals the fastest, easiest, and most effective path of entry into target networks. Roughly half of all breaches start with a compromised credential, compared to the 5% that originate with exploited technical vulnerabilities. 

This finding should lead security leaders to reconsider their overall risk management strategies. It should especially concern leaders at enterprise-level organizations where employees hold a large number of software and vendor accounts. 

It should also play an important role in strategic decisions about implementing security technologies. 

That's because many security providers focus intently on countering the latest technical exploits, even though there are relatively few cybercriminals capable of exploiting these kinds of vulnerabilities on a significant scale.  

On the other hand, exploiting a known password may take no technical skill whatsoever. Upon infiltrating the network this way, an insider may be able to do much more damage than a technical cybercriminal who leaves a more comprehensive audit trail. 

It can be helpful to look at the way tech companies have historically treated their intellectual properties. They entrust engineers, scientists, and other employees to work with these assets, but act swiftly when it looks like an employee is getting ready to patent a company invention under their own name. 

Every organization needs robust identification and authentication policies, but that's not all. Security professionals need to be able to see how authenticated users interact with company assets and flag suspicious events even when the users involved have all the right permissions. 

Leverage Visibility to Manage the Human Element of Your Security Posture 

While security leaders are right to be concerned about phishing and technical exploits, credential-based attacks are at the top of the security leader's priority list. Detecting and mitigating credential-based attacks requires carefully monitoring the way human users interact with company assets. This can't be done without deep visibility into how individual users behave on a day-to-day basis. 

Lumifi specializes in deploying solutions that grant unlimited visibility into security processes and performance for every user, asset, and entity on the network. Discover how our SIEM expertise can help your organization move beyond compliance and establish a truly robust security posture that will protect it against sophisticated internal and external threats.