The report, released this week, examined cyber incidents impacting public and private organizations in 81 countries, with findings that reflect events from November 2021 through late October 2022. It noted that social engineering is becoming more sophisticated across countries and also that the threat of ransomware is holding steady. Public-sector entities also faced off against system intrusions, lost employee devices and bad actors tricking employees — which together were responsible for 76 percent of this sector’s breaches.
The report included data from federal, state and local government agencies, including public safety. Last year, public administration entities faced 3,273 incidents, which Verizon defines as “a security event that compromises the integrity, confidentiality or availability of an information asset.” Of those, 584 developed into full breaches, where data was disclosed.
As noted, breaches in the public sector usually stemmed from social engineering, system intrusions or the loss or theft of assets, like laptops and cellphones. Breaches were caused by actors from the organization 85 percent of the time, which puts the public sector in line with trends across industries, report co-author Philippe Langlois said during a June 8 public-sector webinar.
Internal actors caused some breaches, but they usually did this by making mistakes rather than deliberately.
“Think of it as largely being error," Langlois said, "with just a little bit of misuse, where people are using their legitimate access to do things that are not approved by the organization, such as looking up their exes or their spouses on government databases.”
And 16 percent of breaches appeared to be conducted by external threat actors “working in concert” with internal actors in the public administration organization, the Verizon report found.
“That is significant, given that we didn’t see multiple actor breaches the past two years in this sector, and in 2020’s report, it was only at 2 percent,” per the report.
Langlois, meanwhile, emphasized that much remains unknown.
“There’s been some slight evidence of collusion, where internal and external actors have been somehow collaborating — we don’t necessarily have all the details,” Langlois said. “It’s slightly higher than it is within the overall industries. But this could also, once again, it could tie to the loss of stolen [assets] or employees intentionally selling their assets or what have you. We don't necessarily have the full details on that.”
Attackers breaching public administration entities usually were seeking profit, with that number being 68 percent. Espionage was the second most common motivator, prompting nearly a third of breaches, while just a sliver appeared driven by ideological reasons.
Public entities looking to shore up defenses can implement robust versions of multifactor authentication to reduce potential damage from credential theft, Langlois recommended. They can also reduce risks from lost or stolen devices by applying device encryption and features enabling them to wipe data.
SOCIAL ENGINEERING GETS EMOTIONAL
The Verizon report drew attention to an increasingly popular type of social engineering known as pretexting. Pretexting is different from simpler phishing attacks, which try to trick recipients into clicking malicious links or downloading malicious attachments.
Pretexting, meanwhile, is more elaborate. It uses “an invented scenario that tricks someone into giving up information or committing an act that may result in a breach,” per Verizon’s webinar. It’s also more emotional — a phishing email might urge someone to click a malicious link, on the pretense they need to do so to update their password. A pretexting message might arrive via social media and urge the recipient to send money, on the pretense that it’s from a loved one experiencing an emergency.
One well-known form of pretexting is business email compromise (BEC). In this, for example, a fraudster impersonating a vendor might email an invoice to their client where the bank account number is updated to one actually belonging to the fraudster.
Pretexting and phishing both remain significant forms of social engineering. Verizon’s international data found pretexting was used in more social engineering incidents than phishing was, while phishing was involved in more breaches.
U.S. organizations are finding BEC to be increasingly costly. In 2022, the median amount sent in a BEC transaction was $50,000, up from roughly $40,000 in 2021 — at least, that’s among incidents reported to the FBI Internet Crime Complaint Center, which may not capture the full picture.
That said, there’s some recuperation: More than half of victims recovered “at least 82 percent of their stolen money,” per the report. “This illustrates the importance of ensuring that their employees feel comfortable reporting potential incidents to security, since their willingness to do so greatly improves the organization’s ability to respond,” report authors noted.
Against this backdrop, it may not come as a surprise that 74 percent of all breaches Verizon charted in the past year involved a “human element.” Such events see people involved “either via error, privilege misuse, use of stolen credentials or social engineering,” per the report.
This “underlies the importance of having a person-centric security program,” Langlois said.
RANSOMWARE?
The list of ransomware victims keeps growing, with the cities of Dallas and Lowell, Mass., recently counted among them. Many are concerned with where this attack trend is going. But assessing the ransomware landscape and popularity of the attack type is tricky, because too few victims report incidents, said Recorded Future intelligence analyst Allan Liska during a May event. Reporting requirements are frequently absent or “fragmented,” he said, making it hard to get a full picture.
Verizon’s international data suggests that ransomware remains a significant threat, but that the rate of such attacks could be leveling out. Across the 81 countries, ransomware was used in nearly a quarter — 24 percent — of breaches hitting entities. This holds steady with rates seen in previous years, per the report.
The costs of these attacks can vary widely. Only 7 percent of U.S. victims who reported to the FBI said they lost money. The amount they lost ranged from $1 on the low end, to $2.25 million on the high, said Langlois. On average, however, ransomware’s financial costs are rising: The report found the median reported loss reached $26,000 — more than double what it was the prior year.