Six Takeaways from the Verizon Data Breach Investigations Report 2021

Verizon’s annual Data Breach Investigations Report (DBIR) is an important source of information about cybersecurity, data protection, and how they can be compromised in practice. The 2021 DBIR report is the 14th in the series but the authors continue to impress by finding ways to improve their research and the presentation of information. Here are some key takeaways from this year’s report.

Breaches due to human error were up in absolute terms, but not as a proportion of all breaches

Last year I wrote about the 2020 DBIR report highlighting how human error is a rising cause of breaches. The authors credibly argued that human error was not becoming more likely in practice; humans do not much change from one year to the next. An increase in the reporting of human error hence reflects changing attitudes towards reporting. In other words, people are confessing to honest mistakes more often, not least because businesses face increasing pressure to tell the authorities about data breaches that might previously have been covered up. The DBIR authors confidently predicted that the trend would continue, with human error being cited as the cause of an increasing share of all breaches. However, that proved not to be the case this year.

Nothing in the data can support my hypothesis, but I suspect the slight rise in the absolute number of breaches blamed on human error was drowned out by increased focus on malicious hackers as the world went into lockdown and ransom seekers stole more of the limelight. The tendency to underestimate the significance of human error was emphasized by Verizon’s researchers still finding that mistakes caused as many data breaches as malware. The relative good news is that breaches caused by human error tend to be identified more quickly than other breaches, seemingly because employees will report them promptly in the hopes of limiting the damage caused.

Some breaches exploit a user’s phone, but many more exploit the user

Mobile phones belonging to users were involved in approximately 1 in 10 reported incidents, though they only featured in less than 1 in 20 of the actual breaches. In contrast, almost 40% of actual breaches involved the compromise of a person and 90% involved the compromise of a server (a single breach may involve compromising multiple assets). The proportion of breaches involving user devices has fallen significantly in the last two years, as best explained by hackers shifting their efforts towards techniques that involve web applications and social engineering. The rising use of the cloud also means that hackers more frequently compromise their victims via external cloud assets.

The greatest security risk relating to mobile phones is the frequency with which they are lost by users. However, the risks posed by malicious URLs in messages and malicious apps should not be underestimated. A business with 10 employees was almost certain to have had one employee receive a message with a malicious URL during the past year. A business with 1,000 employees was almost certain to have one employee who installed a malicious Android application package (APK) on their phone during the year.

The cost of a data breach equals the length of a piece of string

The good news is that many data breaches result in no financial loss. The bad news is that many data breaches result in very considerable financial loss. Ransomware criminals generally adjust their ransoms to reflect the size of the business they have hacked, but otherwise there are no reliable rules for predicting how much a breach will cost. Verizon’s researchers drew attention to the analysis performed by Comparitech of corporate share prices following data breaches, as previously covered by Commsrisk, and drew a similar conclusion that it is not possible to distinguish between cases where underperforming businesses left themselves vulnerable to data breaches and cases where a business underperforms because they suffered a breach. The best projection of Verizon’s team is that the median direct cost of a breach is USD21,659, with only the top ten percent of breaches costing more than USD194,035. These kinds of numbers are not likely to motivate huge amounts of spending on security, which is why it is so important for businesses to make greater effort to evaluate the potential impact of breaches on reputation, sales and share price instead of solely focusing on the smaller but more measurable costs involved in remediation and compensating customers for losses.

Not everything is about banking

Bankers tend to believe the universe revolves around their industry but fewer than five percent of all data breaches involve the breach of the victims’ banking data. This places banking data slightly behind medical data amongst the categories of data most likely to be breached. User credentials were most likely to be breached (this kind of information was compromised in just under 60% of all breaches), followed by personal data such as names, addresses, and social security information. To be fair to bankers, these latter forms of data may then be used as part of the process to access a victim’s bank account. But given all the fuss that the banking industry keeps making about fraudsters tricking victims into revealing their banking details, more emphasis should be placed on the fact that breaches which occur as a result of human error within an organization are significantly more likely to compromise the banking information of customers than breaches caused by criminals.

To make matters worse, 44% of breaches from financial services businesses were caused by employees of those firms, with 13% caused by the simple goof of sending confidential information in emails that were addressed to the wrong recipient. With so many unforced errors, it is little wonder that bankers are trying to preserve the confidence of their customers by repeatedly shifting as much blame as possible to telcos.

A little humor goes a long way; a lot goes too far

There were many jokes written into this year’s DBIR report, with seemingly every other footnote being dedicated to a pun or comic observation about the state of the world. Perhaps this was intended to maintain the attention of inexpert readers with no real interest in the statistics. Whilst occasional levity is welcome, it is a mistake to turn a data-rich report into the script for a stand-up comedian. Initially amusing asides soon degenerated into the repetition of common tropes such as “like your Momma said” or “mmm… cake”. Readers of this report want hard facts, or the closest approximation to hard facts that can be obtained in this domain. Everything else soon becomes a distraction.

The DBIR diagrams demonstrate how to visualize uncertainty whilst retaining mathematical accuracy

I tire of inept discussions about risk that revolve around the differing emotional response that people have when they hear words like ‘probable’, ‘possible’, ‘likely’ and so forth. Science is numerical, not poetic, and a scientific approach to risk management cannot be realized by debating the weight of imprecise words during an evaluation that should be based on the most accurate measurements you can obtain. Even if you have no interest in data breaches, any risk manager could learn a lot from the way this report tackles the difficult art of presenting numerical data about uncertainty to non-expert audiences that might otherwise resort to unreliable words because they have no other intellectual tools at their disposal. More professional risk managers should emulate the writers of the DBIR report by using slanted bars in bar charts to convey the 95% confidence level around a statistic, dot plots to explain distributions in more detail than merely calculating the average and standard deviation, and ‘violin’ charts that turn a misleadingly specific point on a graph into the range of outcomes that might be found in practice.

Final observations

One oddity of the DBIR is that is analyzes breaches by sectors but does not specifically break out telecoms, even though Verizon is a telco. In some respects this is a good sign: despite some negative publicity, telcos have a better record for protecting customer data than many other sectors, so there is less gained by giving them a separate category. Nevertheless, telcos collect and retain huge amounts of personal data compared to most other companies. When telcos do a good job of protecting this data there is a need to highlight successes to balance the times when telcos rightly deserve criticism.

The Verizon Data Breach Investigations Report 2021 is well worth reading in full; it can be obtained from here. Verizon could have just published the whole report to the web, but ironically they require you to trust them with your personal data to download it!

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.