Cybercriminals are increasingly targeting senior business executives directly as they look for new ways to navigate technological and human defences, according to a detailed analysis of data breaches from 2018.
Fully 69 percent of the 31,686 security breaches and 2013 data breaches – analysed by Verizon Enterprise for its latest Verizon Data Breach Investigations Report (DBIR) – were perpetrated by outsiders, the firm found, including 39 percent of breaches organised by organised criminal groups.
Motives for breaches were primarily financial and executives were a frequent target, the analysis found, with 20 percent of incidents involving high-level targets – and more than 60 percent of fraudulent transaction incidents involving finance staff.
Overall, Professional Services executives were six times as likely to be compromised than those in all industries. By contrast, Human Resources personnel were targeted six times less frequently in 2018 than in the previous year.
Generally poorly-protected small businesses were also common targets, comprising 43 percent of breaches, while 10 percent of breaches hit better-resourced financial-industry players – this, as the new Banking Executive Accountability Regime looks set to impose strict new accountability conditions on executives including CIOs, CTOs, and other tech-focused executives.
The use of social-media attacks was becoming an increasingly popular attack vector, with senior executives 12 times as likely as other staff to be targeted by social incidents – and 9 times more likely than in previous years.
Increasingly successful business email compromise (BEC) attacks, of which there were 370 reported incidents and 248 confirmed breaches within the DBIR’s scope, reflect growing stress in the workplace and increasing demands on time-poor executives.
Fully 12 percent of all data breaches analysed related to financially-motivated social-engineering attacks – and Verizon Global Enterprise president George Fischer was quick to link the surge in social-media attacks to “time-starved and under pressure” executives who have “often unchallenged approval authority, and privileged access into critical systems.
Companies’ own investment in new technologies and information architectures were also to blame, since those investments intrinsically needed to be made with security as a core consideration.
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience,” Fischer said in a statement. “Supply chain data, video, and other critical – often personal – data WILL be assembled and analysed at eye-blink speed, changing how applications utilise secure network capabilities.”
Particular types of data were compromised far more frequently than others – including healthcare, from which medical data was 18 times more likely to be compromised than other data. This was in line with the recent statistics around Australia’s Notifiable Data Breach (NDB) regime, which found healthcare organisations were by far the most frequently-breached type of organisation.
Among the DBIR’s other key findings were the revelation that 23 percent of breaches involved actors identified as being nation-state or state-affiliated. That had translated into a dramatically different threat profile for public-sector organisations, which suffered 23,399 of the incidents in the report.
Public-sector breaches were more than 2.5 times as likely to go undiscovered for years, the report’s authors noted, while incidents in this industry sector accounted for 79 percent of all breaches involving external actors – up 17 percent over the previous year.
Amidst this changing cybersecurity threat landscape, Fischer said that organisations as ever faced an obligation to craft and execute an appropriate tailored response.
“Security must remain front and centre when implementing these new applications and architectures,” he said, “and technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape, so you can develop and action a solid plan to protect your business against the reality of cybercrime.”