Verizon just published the 13th edition of their Data Breach Investigations Report. A document that provides crucial information and perspective that small and large organizations face in terms of data breaches.
This edition was built with information of 15,525 incidents and it includes a total of 16 verticals in which are examined the most common attacks, actors and actions for each. For the first time ever, the report provides a look at cybercrime from a regional viewpoint, thanks to a combination of improvements in the statistical processes and protocols, and by data provided by new contributors.
In this article we share the results comparing how data breaches affect small and large businesses.
Does size matter?
The report states “while differences between small and medium-sized businesses and large organizations remain, the movement toward the cloud and its myriad web-based tools, along with the continued rise of social attacks has narrowed the dividing line between the two. As SMBs have adjusted their business models, the criminals have adapted their actions in order to keep in step and select the quickest and easiest path to their victims”.
As the above graphic shows, we can see that over 54% of the breaches in small business confirmed data disclosure (being credentials and personal information among the most compromised). It’s key to underline here that besides the common belief that internal actors are the weakest link, it has been reported consistently through the years, that external actors are responsible for almost 80% of breaches in SMBs.
Top threat actions
When comparing breaches in small businesses and large organizations, the DBIR found a lot of similarities. After all, every day now a small business acts more like a large one than ever before, “thanks to the proliferation of services available as commodities in the cloud, including platform as a service (PaaS), software as a service (SaaS) and any other *aaS of which you can conceive”.
Breaches have evolved over the past few years. For instance, the 2013 DBIR edition showed that the main threats for larger organizations came from physical tampering (intentional malfunction or sabotage), while for smaller organizations, it was spyware. Nowadays, organizations face the same threats. This year, as seen in the above graphics, both large and small organizations have as top threat phishing, with the use of stolen credentials and password dumpers in the top three (only in reverse order).
As reported by Verizon, the top attack patterns for small organizations are Web Applications, Everything Else (attacks such as business email compromise, phishing, purporting to be from a company executive who is requesting data or a wire transfer), and Miscellaneous Errors (the many means by which someone you employ can hurt your organization without malicious intent), with none of them emerging as the obvious winner.
Meanwhile, large organizations are contending with Everything Else, Crimeware (garden-variety malware and tends to be deployed by criminals who are financially motivated), and Privilege Misuse as their main issues (an act in which an Internal actor can ruin both your day and your brand).
When examining timeline data, it’s important to highlight that breaches that take months or years to discover in large organizations (Figure 113) while in small organizations (Figure 114) it’s a matter of hours or days. The reasons for this to happen are unclear. On the one hand, large organizations have a much larger footprint and could are more likely to miss an intrusion on an internet-facing asset that they forgot they owned, but small businesses have a reduced attack surface making it easier to spot a problem. On the other hand, large organizations typically have dedicated security staff and are able to afford greater security measures, whereas small businesses often do not. Whatever the reason, there is a rather marked disparity between them with regard to discovery.