Each year the Verizon Data Breach Investigations Report (DBIR) provides an authoritative examination of confirmed breaches and reported incidents that occurred during the previous 12 months. Their work covers breaches suffered by all kinds of organizations but telcos should draw upon this resource to help them understand how to protect their customers as well as themselves. Here are five key takeaways from the recently-published 2023 report.
It’s People, Stupid
74 percent of all breaches involve a human element, and 83 percent involved an actor from outside the organization that was breached. Financial gain was the motivation for 95 percent of breaches, with organized crime causing two-thirds of breaches.
19 percent of breaches involved an internal actor; relatively few breaches involved both an internal and external actor at the same time. This contrasts with the anecdotal experience of telco staff being targeted by bribes and social engineering attacks as a stepping stone towards compromising the telco’s systems or gaining control of a phone user’s account.
Ransomware Is Bad but Not Getting Worse
Ransomware caused 24 percent of all breaches covered by the 2023 report, the same proportion as cited in the 2022 report, though it does feature in a slightly larger share of incidents than before. The influence of organized crime becomes especially evident when considering that it is three times more likely that data will be obscured rather than lost.
Your Phone May Be Gone but It Is Not Forgotten
There were around 1,500 incidents involving a lost or stolen mobile phone. Most were lost by accident. It is tempting to improve employee security through training and other forms of awareness-raising, but the loss of so many phones highlights the limits of what can be accomplished by simply telling staff to be more careful. Data on end-user devices should be encrypted and organizations need the ability to lock and wipe portable devices that have gone missing.
Cryptocurrency Is a Magnet for Hackers
The number of breaches involving cryptocurrency has multiplied by a factor of four since the previous year. Some attacks target actual cryptocurrency networks and exchanges whilst others simply steal the credentials of users so their wallets can be raided.
This finding aligns with the experience of telcos and customers who have been hit by SIM swap fraudsters. SIM swaps often target individuals known to have large cryptocurrency holdings, with the fraudster using the phone account as a gateway to raiding the victim’s cryptocurrency wallet.
With data now being a literal form of money, perhaps it is time to start referring to money breaches as well as data breaches.
The War in Ukraine Has Not Moved the Dials (as Far as We Can Tell)
There has been no significant shift in the number of breaches motivated by espionage or conducted by hackers associated with nation-states. The authors reason this is because few organizations are of interest to nation-state hackers, whilst many more organizations are of interest to criminals or have employees who make mistakes.
However, it is always worth retaining a degree of skepticism about whether the data that has been reviewed is truly comprehensive. Other factors may influence the extent to which nation-state hacking is reported. For example, more than half of the planet is covered by the region described as ‘Asia Pacific’ but the number of confirmed breaches for AsiaPac was less than 9 percent of the number reported for North America. 39 percent of reported breaches in AsiaPac were said to be motivated by espionage, a far higher proportion than any other region. Financial gain was the motive for over 90 percent of breaches in every region but AsiaPac, where it was the stated motive for only 61 percent of breaches. This is inconsistent with AsiaPac telcos observing a surge of smishing and SIM swap frauds.
Cultural norms have an enormous influence on the collection of data like this, as demonstrated by international disparities in crime statistics. The DBIR is an excellent report but remains reliant on methods of gathering data that do not deliver truly comparable figures from country to country.
Get Your Copy
The Verizon DBIR is well worth a read. If you do not have time to digest all 89 pages then skim through the contents or look out for the webinars involving the authors. However, as the goal is to encourage good data security and hygiene, it is rather cheeky that a misleading registration form asks for your personal data when you do not really need to give any. The PDF of the full report can be obtained without registration, from here.