A recent report from Verizon Business has highlighted a significant surge in cyberattacks driven by the exploitation of vulnerabilities, accounting for 14% of all breaches in 2023. The report, titled the Data Breach Investigations Report (DBIR), analyzed a record-high 30,458 security incidents and 10,626 confirmed breaches last year, marking a two-fold increase compared to 2022.
A striking finding was a 180% increase in the exploitation of vulnerabilities, propelled by attacks targeting unpatched systems and devices, known as zero-day vulnerabilities, particularly by ransomware actors. The breach of MOVEit software was cited as a major catalyst for cyberattacks, initially impacting the education sector before spreading to finance and insurance industries.
Despite concerns around artificial intelligence (AI) in cybersecurity, the report suggested that AI was “less of a culprit” compared to challenges in managing large-scale vulnerabilities, offering a potential relief amid anxieties in the sector.
Chris Novak, Sr. Director of Cybersecurity Consulting at Verizon Business, emphasized the persistent threat posed by ransomware actors exploiting zero-day vulnerabilities. Novak highlighted the critical need for enterprises to address basic vulnerabilities promptly, stating that failure to patch these vulnerabilities negates the need for threat actors to advance their techniques.
The report also revealed that 15% of breaches involved third parties, including data custodians or software vulnerabilities within the supply chain, marking a 68% increase year-over-year. Additionally, 68% of breaches involved a “non-malicious human element,” such as errors or falling victim to social engineering attacks.
Novak underscored the importance of cybersecurity training, noting a culture shift towards destigmatizing human error and enhancing awareness among the workforce.
The report’s insights shed light on the evolving cybersecurity landscape, urging Chief Information Security Officers (CISOs) to address vulnerabilities swiftly while investing in employee education on ransomware and cybersecurity hygiene.
These findings coincide with recent regulatory actions by the UK government mandating minimum-security standards for internet-connected smart devices to mitigate cybersecurity risks. Manufacturers will be prohibited from using weak default passwords, such as ‘admin’ or ‘12345’, aiming to bolster cybersecurity across smart devices.
In summary, the DBIR report underscores the critical need for organizations to prioritize vulnerability management and cybersecurity training in the face of escalating cyber threats and evolving attack vectors.