The chance of financial gain is driving cyberattacks more than ever, motivating 86% of data breaches now compared with 71% last year.

That’s according to Verizon Communication Inc.’s annual data breach report released today, covering a range of findings covering the cybersecurity and cybercrime landscape. The Verizon Business 2020 Data Breach Investigation Report analyzed data based on 32,002 security incidents and 3,950 confirmed breaches across 81 countries.

A full copy of the 2020 findings can be found here, but these are the main takeaways from cybersecurity professionals and privacy advocates based on the report:

Casey Ellis, chief technology officer and found of crowdsourced cybersecurity platform provider Bugcrowd Inc.:

The 2020 Verizon Data Breach Investigations Report is a yearly staple for the security industry, and this year’s report is no exception. According to the report, 43% of breaches were attacks on web applications, more than doubling the results from last year. Organizations need to understand the importance of knowing their infrastructure because web applications provide easy entry points for cybercriminals. Web applications are what we interact with as users, but it’s more than that: The technologies and infrastructure which powers the businesses we rely on are ever-increasingly built on top of web technologies.

With cybercriminals utilizing hacking techniques to exploit web applications, whitehat hacking can be an advantageous way to mitigate exploits and improve organizations’ cyber postures. 70% of breaches involve hacking; the same philosophy can be applied to defending organizations by implementing crowdsourced security. Whitehat hackers think like our adversaries, but want to do good, helping organizations find vulnerabilities before the bad guys do. Web application vulnerabilities have always been the top submitted vulnerabilities (90%) across our programs and correspondingly account for the highest percentage of overall rewards paid.

Balaji Parimi, chief executive officer at  Infrastructure Authorization Administration company CloudKnox Security Inc.:

The Verizon DBIR validates something we’ve been seeing for a long time – that cloud storage misconfigurations are on the rise and emerging as one of the top threats to cloud infrastructure. Managing cloud infrastructure is very complex and the unprecedented levels of automation leaves a lot of room for these types of mistakes. Enterprises need to adopt a prevention first approach, by making sure that only properly trained personnel have the permissions to perform such risky operations. AWS and other cloud providers are touting this as one of the top security priorities to address this misconfiguration problem.

Chris Rothe, co-founder and chief product officer at threat detection firm Red Canary Inc.:

One trend that we see continuing in this report is the decline in the use of malware in breaches. It is down to 17% this year from 28% last year. Attackers continue to adapt to a world where defenders have made it more difficult to use malicious binaries through living off the land techniques. This is why the need for behavior-based detection and great security operations are paramount for defending against modern attacks.

Not surprisingly, phishing was involved in nearly one-quarter of breaches. In our work, we find phishing as the most prevalent delivery mechanism by far. Phishing is a great example of something that cannot be fully prevented. Because email is a critical business function, it has to be optimized for its business function and not security in most cases. There are many strategies IT teams can use to reduce the number of successful phishing attackers (email blocking, stripping and analyzing attachments, awareness training, etc.) but there is no 100% solution.

Mark Bower, senior vice president at data-centric security provider comforte AG:

The report shows the Great Digital Train Robbery is alive and well. External, multi-faceted and industrialized hacking continues to pepper large enterprises at 72% of overall victims. It’s no surprise that web application patters, around 45% of attacks, expose technology services firms, retail, financial and Insurance services and professional services most to compromise. They are the highest aggregators of highly sensitive data with substantial third-party data sharing risk. Personal data theft is trending up, now 49% of retail breaches, overtaking payment data at 47% putting privacy regulation risk high on the compliance agenda. 70% of breaches were from external actors, insiders 30%, and human left doors open in 22% of cases. In a world quickly moving to post-COVID-19 cloud IT , now 24% of investigated breaches, enterprises have no choice but to modernize data security strategies to neutralize data from attack or become a victim.

The numbers don’t lie – the barrier between attackers and valuable sensitive data can be broken, enabling rapid data theft and abuse unless the real data has no value in the attacker’s hands. Industries that progressively shielded data with contemporary security measures like data tokenization and encryption showed a strong decline in breach impact (POS attack incidents trended close to zero), but attackers followed the path of least resistance – to online compromise opportunities – now 50% of retail breaches.

Chris Hauk, founder and consumer privacy champion at privacy team Pixel Privacy:

While popular media like movies may point toward internal attackers for corporate data breach attacks, the greatest amount of attacks were launched by outsiders, mainly working for organized crime, and not for espionage purposes by actors from other countries. This shows that companies need to harden their defenses against exterior attacks. A good number of cases data breaches are due to misconfiguration errors on the part of employees, such as when the system admin accidentally sets what should be private storage to allow public access. This, along with employees clicking malicious links in emails, shows that continuing education of employees on security still has a long way to go. Bad actors continue to target healthcare, and with the COVID-19 pandemic, healthcare will continue to be an increasingly attractive target.

Paul Bischoff, privacy advocate at tech research company Comparitech Ltd.:

The report dispels many commonly held misconceptions about how and why data breaches happen. Many breaches and data incidents are easily preventable. Most breaches are perpetrated by organized crime and are financially motivated, not by internal sources. Hacking through the use of stolen credentials, phishing and errors top the list of actions that lead to breaches. Web applications are the most common hacking vector through which criminals obtain stolen credentials. Although ransomware often makes the news, password dumpers that steal hashed passwords which can then be brute-forced are the most common type of malware that leads to data breaches. Malware in general is on the decline when it comes to data breaches.

Rick Holland, chief information security officer and Vice President Strategy at digital risk protection provider Digital Shadows Ltd.:

One thing that strikes me about this year’s DBIR report is that the data set is pre-pandemic. The “current state of security” is dramatically different today than it was two months ago. I’m very interested to see how the new remote working paradigm impacts next year’s report.

It is essential to understand the data set and limitations for any reporting. The fact that the DBIR’s primary analytical data focus is from the 2019 caseload doesn’t devalue the report; there are still many year over year trends that are useful for defenders. Also, the DBIR should serve as one of many data points in your risk management strategy, which should be complemented by an organization’s own internal incident and breach reporting.

Chris Morales, head of security analytics at artificial intelligence threat detection startup Vectra AI Inc.:

What I think the Verizon DBIR shows is who is targeting what industry and what they are doing. Attribution is interesting in the sense it paints a picture of who is behind a breach and what they do. The motives behind an attack tend to be consistent for each industry as does the risk and data in those industries.

However, what happened last year will only paint a partial picture of the tools, tactics and procedures being implemented now in what is a dramatically shifted threat landscape over the last few months. A threat landscape that might be more permanent than temporary.

For example, an increase in the use of SaaS like Office 365 and Zoom for intrusion and lateral movement techniques. The higher obfuscation of command and control and data exfiltration in companies that previously would never allow remote work from home.

Image: Verizon