Friday, 3 May 2024

The latest Verizon DBIR report reveals Australian organisations need to move at pace, as threat actors continue to exploit vulnerabilities at unprecedented rates.

Verizon's eagerly awaited 2024 Data Breach Investigations Report (DBIR) shows the cracks in our cybersecurity defences are growing wider and organisational cyber resilience is becoming weaker. KordaMentha is proud to have contributed to the report's current edition which analysed a record 30,458 real-world security incidents between November 1, 2022, and October 31 2023. A third of these incidents were confirmed as breaches, occurring across 94 countries.

Among the annual report's most alarming findings is that vulnerability exploitation has almost tripled to 180% as the critical path to initiate a breach.

Key findings:

  • Financial motives continue to dominate as the main motivator for threat actors.
  • Ransomware remains the most significant threat facing organisations today.
  • An organisation’s supply chain is implicated in 15% of all data breaches, nearly a 70% increase on the previous year. 
  • In the APAC region, there is an increase in espionage related motives which account for 39% of threat actor motivation. From our perspective, we would attribute this to intellectual property theft committed by internal threat actors.
  • On average, it takes less than a minute for users to fall victim to a phishing email attack (from the moment the phishing email is opened to when the credentials are compromised).

In the Asia-Pacific (APAC) region, the DBIR recorded 2,130 incidents and 523 confirmed breaches - an increase largely driven by the exploitation of vulnerabilities in widely used third-party platforms integrated into organisations' business processes. This style of attack can be catastrophic: a single such exploit in North America last year resulted in threat actors accessing thousands of organisations and government departments worldwide.

Financial gain continues to be the leading criminal motive. But espionage is gaining especially in APAC where it motivates at least 25% of breaches as opposed to 4% to 6% in other regions. Major threat actions in the region were hacking, malware and social engineering-based attacks, statistics that were also reflected in North and Latin America.

Ransomware remains the top threat across 92% of industries where it (or other extortionate tactics) plays a part in almost two-thirds of successful attacks. Why? The sheer success of ransomware payouts. A massive $1.1 billion in known ransomware payments was recorded by Chainanalysis in 2023 alone - further indicating the significant amount of crypto currency used as a payment method.

The DBIR reports that the median fraudulent transaction now stands at US$50,000. While a large sum, KordaMentha's experience of BEC investigation matters has encountered fraudulent transactions exceeding $460,000 AUD in a single transaction. 

The role the human element contributes to breaches has shot up to 70%, a third occurring through basic error. Worryingly, the DBIR found it takes less than a minute for a user to fall victim to a phishing business email - a factor that we have observed on engagements we have assisted with over the last year. This clearly signals that organisations need to reshape company culture into one that prioritises awareness around cybersecurity risk. While we emphasise the importance of multiple layers of defence for mitigating and preventing cyber-attacks, this philosophy is particularly essential in a world where anyone with a phone is connected to the web and is at risk.

There also needs to be greater awareness of insider threats. In our experience, this can involve an aggrieved or departing employee removing confidential data such as marketing campaigns and client lists, which is for personal gain and to collude with outside cyber criminals seeking to steal and leak valuable customer details and company IP.

In essence, the DBIR's findings show we aren't learning our lessons around maintaining cybersecurity vigilance.

A glaring example is the continued lack of awareness around the potential dangers posed by third party software. Organisations are clearly ignoring the importance of acquiring software from reputable vendors with solid defences, borne out in DBIR data showing breaches that could have been mitigated or prevented by choosing providers with better security is up 70%. Third party due diligence is essential when it comes to understanding and managing your security risk, given 15% of data breaches directly involve an upstream supplier or services provider. This week's reported data breach involving more than 1 million NSW clubs' customer records is a prime example.

The problem facing all organisations now is that criminals are moving faster than ever. This is certainly what we are repeatedly seeing across Australian organisations: the moment software is installed it's scanned for vulnerabilities by criminals. Yet once an attack is recognised, it can take 12 months or longer to patch the vulnerability. The DBIR found it takes roughly 55 days to remediate half of those critical vulnerabilities once their patches come available, while last year's Cyber Threat Report from the Australian Signals Directorate revealed one in five critical vulnerabilities was exploited within 48 hours.

We are simply not keeping up.

Urgency and agility are key - and the answer lies in organisations mitigating vulnerabilities as soon as third-party software is installed, particularly in the era of generative AI being employed so effectively to exploit opportunities.

And we must cease to underestimate the threat posed by people - from C-suite to employees to contractors. Our strong views are that organisations need pay greater attention to reshaping company culture into one that prioritises cybersecurity and education among workers. To-date, Australia has adopted a 'She'll be right' mentality when it comes to cyber and its appropriate governance. While geographically far from many, this laissez-faire mindset is one that must evolve. We are a developed industrialised, resource-rich country, and that is an attractive proposition to many scrupulous players - domestically and overseas.

Read the full report here.