Verizon released its 2019 Data Breach Investigation Report (DBIR) on May 8th. The widely read annual report is considered a primary source for data breach trends, statistics and forecasts. This year’s report is based on data from over 41,000 security incidents and over 2,000 data breaches, spanning 86 countries worldwide, provided by 73 data sources, public and private. The DBIR also contains data from the FBI’s Internet Crime Complaint Center.
The DBIR revealed that C-level executives, who have access to a company’s most sensitive data, are increasingly and proactively targeted by cyber criminals. In fact, the report found that C-level executives were 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than in years past. The DBIR attributed this to working in busy and often stressful business environments where executives often lack focused education on the risks of cybercrime. According to the report, because senior executives are typically time-starved and under pressure to deliver, they quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through.
The DBIR also found that half of organizations are taking months or longer to discover breaches—a “dwell time” that improves adversaries’ ability to siphon funds and obtain intellectual property or credentials. According to Fraser Kyne, EMEA CTO at Bromium, this is due in part because cybercriminals are choosing to take a “subtler approach” by “silently gain[ing] access to conduct reconnaissance, insert backdoors, escalate privileges and exfiltrate data. The longer … the time a hacker has unauthorized access to systems – the more dangerous the attack can be.”
This new crucial data shows that companies need to require regular cybersecurity training for all employees, including participation by C-level executives and their administrative staff. Additionally, because hackers are finding new and subtler ways to infiltrate companies’ systems, this training should be updated frequently and cover diligent methods of detecting unauthorized access.
For more information, the DBIR is available here.