Verizon’s 2023 Data Breach Investigation Report: Takeaways and Tips
Verizon has just published its annual Data Breach Investigation Report (DBIR). Here are the key takeaways from the 2023 DBIR—along with our own tips and suggestions on how to stay safe.
BEC on the rise
One of the most alarming findings in the 2023 DBIR was that business email compromise (BEC) attacks “have almost doubled” across the data set Verizon studied.
BEC is a type of attack that works via social engineering. Here’s how the FBI explains it:
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:
+ A vendor your company regularly deals with sends an invoice with an updated mailing address.
+ A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
+ A homebuyer receives a message from his title company with instructions on how to wire his down payment.
BEC results in financial loss—as well as reputational damage for businesses and emotional strain on the employees who fall victim to these attacks.
The human element
Verizon’s researchers found that nearly three in four breaches involved a “human element” in some way. To quote the DBIR:
74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.
Unfortunately, human beings are still an effective point of attack for the bad guys. However, if there’s a silver lining here, it’s that this number is actually down from 2022, when Verizon’s research found that 82% of breaches involved a human factor.
All about the money
Perhaps unsurprisingly, there appears to be one overriding motivation for cybercrimes: money. Verizon found that “the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches.”
How much money are we talking about? Lots—and the situation appears to be getting worse. According to the FBI’s most recent Internet Crime Complaint Center (IC3) report:
In 2022, the IC3 received 800,944 complaints…the potential total loss has grown from $6.9 billion in 2021 to more than $10.2 billion in 2022.
Initial access trends
When it comes to how bad actors actually break into organizations, there are some clear trends. According to Verizon:
The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities.
That last one (exploitation of vulnerabilities) underscores the importance of keeping your systems and applications up to date—something we’re constantly encouraging both here and on The Checklist!
Tips for staying safe
The stats from this year’s DBIR are worrying. But the main takeaways from the 2023 report also point to clear mitigations that are available to everyday Mac users and folks at small and medium businesses (SMBs). Here’s what we’d recommend to stay safe in the coming year:
Be skeptical—now more than ever
BEC is a growing problem and social engineering is a perennial threat. With the rise of AI voice cloning technology, we may also see a spike in phone-based social engineering attacks. The best strategy going forward is to be skeptical about all unsolicited requests for information, payments, or changes. Never give out sensitive personal or financial data over the phone or via email. If you work in a business, confirm and reconfirm all payments or unusual requests with vendors, managers, and/or your accounts payable group. Last but not least, if something seems “off” or out of the ordinary, slow down, take a breath, and do your due diligence before proceeding.
Use password managers and 2FA
Stolen credentials are a major cause of compromises. To protect your accounts, use a password manager to create strong, unique passwords and manage them securely. This prevents bad actors from abusing easily guessed credentials. In addition, protect all of your accounts with two-factor authentication. If your password is compromised, bad actors will not be able to access your account because they won’t have the second authentication factor.
Patch often, patch fast
One telling statistic in the 2023 DBIR relates to last year’s Log4j vulnerability: “More than 32% of all Log4j scanning activity over the course of the year happened within 30 days of its release.” Here’s what that means: When a vulnerability becomes public knowledge, bad guys are in a race against the clock to take advantage of it before users can patch. For this reason, it’s essential to enable automatic updates for all of your systems and apps. In addition, macOS and iOS users should avail themselves of Apple’s new Rapid Security Response feature in order to receive urgent security patches faster.Educate yourself—and others
If you’re a Mac user, it’s essential to keep up with Apple cybersecurity news, developments, and best practices. The 2023 DBIR showed that the overwhelming majority of breaches are financially motivated. We believe that with the explosion of Mac in the enterprise, bad guys have a greater incentive than ever to target macOS. In addition, the fact that “the human element” is involved in so many breaches points to a need for better overall cybersecurity knowledge and awareness. Learn more about cybersecurity by following security blogs like this one or Apple security-focused podcasts like The Checklist. Then share what you learn with your friends, family, and coworkers.