Government agencies and industry associations recognize the need to share information to reduce the impact of breaches. On its website, the Cybersecurity and Infrastructure Security Agency (CISA) promotes the importance of information sharing to reduce overall risks. “Isolating cyber attacks and preventing them in the future requires the coordination of many groups and organizations. By rapidly sharing critical information about attacks and vulnerabilities, the scope and magnitude of cyber events can be greatly decreased” (Information Sharing, Cybersecurity and Infrastructure Security Agency CISA, https://bit.ly/3DxDd85). Many critical sectors, including retail, real estate, financial services, and media, have sector-specific Information Sharing and Analysis Centers (ISAC) that “collect, analyze, and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency” (National Council of ISACs, https://nationalisacs.org).
The complications, including legal ramifications and the embarrassment of suffering a breach, can understandingly limit what competitors share; this assumes that they are open to the benefits of sharing. CPA firms, consultants, and cybersecurity vendors are essential in bridging this gap by publishing annual cybersecurity and breach reports that review prior-year activities and forecast upcoming and evolving challenges. Some view these reports as nothing more than marketing brochures; yet when written objectively and based upon input gathered from various sources, the report can garner confidence from the security community, which can then better understand actual breaches rather than focus attention and resources on theoretical attacks that have only a small probability of occurring. For a risk manager, this is consistent with their mantra to allocate precious resources to threats that significantly harm the organization and its stakeholders.
Verizon Breach Report
The “Verizon 2023 Data Breach Investigations Report” (http://verizon.com/dbir/) is such a tool. The current version represents the 16th annual version of this well-regarded and frequently cited report. For example, well-respected cyber-security organizations refer to the information, including the Center for Internet Security (www.cisecurity.org), professional society publications (e.g., ISACA), and other industry publications. Acknowledged contributors range from governmental agencies (e.g., FBI, Secret Service), various countries’ Computer Emergency Response Teams (CERT) including the United States, Japan, and European Union, and security vendors (e.g., CrowdStrike, Dell, Palo Alto Networks). The contributions from other diverse and competitive parties lend additional credibility to the report.
Given its diverse users, the report is organized to facilitate each reader’s interest. An executive summary and summary of findings are available on the report’s home-page (http://verizon.com/dbir/), as are webinars and short videos. The above resources may suffice for non–security practitioners and those responsible for high-level oversight; for others, the first three sections contain a summary. The report includes a summary, results, and analysis (who did what, what they did, the assets impacted, and the impact of assets affected). The third section identifies the patterns (the primary attacks) performed to cause the breach. This section of the report provides the relevant ATT&CK (a globally accessible knowledge base of adversary tactics and techniques based on real-world observations at https://attack.mitre.org/) and appropriate Center for Internet Security recommendations to mitigate the threat. The final two main sections focus on breaches occurring within specific industries and geographies.
Insights from the Report
Verizon presents the following key insights in an infographic available on the report’s website (https://vz.to/3Kk0QVn):
- ▪ 50% of all social engineering incidents in 2022 used pretexting—an invented scenario that tricks someone into giving up information or committing an act that may result in a breach.
- ▪ 24% of all breaches involved ransomware—maliciously encrypting data and demanding a ransom to return or unlock it. It was present in more than 62% of all incidents committed by organized crime actors and in 59% of all incidents with a financial motivation.
- ▪ More than 32% of all Log4j vulnerability scanning—exploiting a flaw in this ubiquitous Java-based utility that can give control of a company’s servers to hackers—occurred in the first 30 days after release. This shows how quickly threats can go from proof of concept to mass exploitation.
- ▪ 83% of breaches involved external actors, primarily from organized crime groups with financial motives—19% involved internal actors, who caused both intentional and unintentional harm through misuse and simple human error.
- ▪ 74% of all breaches included the human element through error, privilege misuse, use of stolen credentials or social engineering.
- ▪ 49% of breaches by external actors involved the use of stolen credentials, while phishing made up 12% of external attacks. Attackers used the exploit vulnerability technique in 5% of breaches. This shows the importance of anticipating diverse attack vectors.
- ▪ 95% of breaches were financially driven.
Using the Report
Providing oversight on cybersecurity can be a challenge for many audit committees. If they are fortunate enough to have an independent internal audit function, they may be able to rely on cybersecurity-related reports produced by that function. Even with such a function, an audit, due to its inherent nature, may provide a more piecemeal picture than management could provide. Management representations may also be subjected to inaccuracies, incompleteness, or ignorance (not understanding relevant risks and mitigating controls). One way to manage these concerns is to determine the organization’s exposure to actual breaches by assessing the breach reports’ contents with respect to current practices.
In some organizations, management presents the annual IT risk assessment results to the board or the audit committee. A mandatory presentation of results is required if the organization is in a regulated industry. Often, management will only present the highest-rated risks that it believes exist. This is typically followed by minimal conversation. Instead, an audit committee member could take the significant findings of the breach report and leverage them to obtain information from management that could satisfy the committee’s oversight responsibilities. For example: the organization could provide employees with minimal security training (an hour or two of generic content). An audit committee member might ask management how the risk assessment considered that 74% of breaches involved the human element and how existing training efforts mitigate this. Another question could challenge the strength of malware risk mitigation programs by asking how existing risk mitigation practices consider the types of attacks and recommended controls leveraged in the report.
Ask the Questions and Get the Answers
Reviewing the Verizon report’s summary-level information, audit committee members can quickly understand how competitors have had their cybersecurity breached. Introducing factual and relevant information while questioning management enhances the effectiveness of the audit committee’s oversight, minimizes management’s opportunities to dismiss critical questions, and increases management accountability to identify and resolve cybersecurity challenges and data breach embarrassments proactively.