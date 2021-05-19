Even the casual observer who pays some attention to the world’s goings on knows that the time has long passed since we awoke to a day without any cybersecurity incidents. I suppose it’s a little like pollution. We know it’s there, we cannot escape it, though it rarely if ever has a direct impact on us that changes our day-to-day. We acknowledge that the lakes and rivers where we swim or fish are less than pure. We can see that power plants exhaust questionable microparticles. And, we jump aboard the superhighway of information in one form or another, despite the pervasive nature of security and privacy risks. These things, negative as they are, simply wend their ways into life. We accept, or deny, or in the worse cases are compelled to deal with them.
It’s in the middle ground—denial, maybe ignorance—where security types are most excitable on the public’s behalf. When you, one of billions of stopping points along the superhighway, are in denial or are oblivious to the risks inherent to cyberspace, you tend to put all of us at risk as well. Part of my charge, and part of why I was so thrilled years ago be given this forum, is to continually help us all better understand, and therefore avoid, these risks. Today, I will share some information, “intelligence” if you can see how this good-versus-evil play is characterized, about the state of cybersecurity.
Three or four times each year there are three or four highly credible, well versed, deeply involved organizations that publish an annual report, of sorts, that describes the state of our security and privacy. No matter the outlet or time of year, it’s never a glowing report. I’ve never reviewed one of these and thought, “Phew! Things are finally clearing up in cyberspace and I don’t need to worry about fraud, waste, theft, and abuse online.” Nope. If anything, the “phew” is because despite the onerous tones of these reports, my own digital life hasn’t yet been upended, and I’ve not yet felt the need to buy cybersecurity insurance, a thing that in some years’ time will be no less common than homeowner’s or renter’s insurance.
I’ve discussed others in the past, and most all of them in my classrooms, but today I’ll share the intel from Verizon’s 2021 Data Breach Investigations Report (DBIR). Its headline statement about the report ends with “a year of unprecedented security challenges.”
Verizon examined more security breaches than ever for this year’s report. That’s as likely to be because there’s more activity than ever—with tens of millions of workers operating from their homes—as it is because Verizon went and redoubled its investment in producing the report. Nearly 30,000 incidents were examined. Those, by the way, were not the field of breaches but rather their statistically significant sampling of, simply put, internet transactions or communications, each of which being subject to potential security shenanigans. Verizon refers to that field as “quality incidents,” rather ironically in this reviewer’s mind. Of those 30,000 quality incidents, over 5,000 breaches occurred having been the work of 83 distinct scofflaws. That breach rate is up around one-third from last year’s results.
Within that subset of illegal and fraudulent activity, two types of cyber-attacks appeared on the rise since the past report in 2020. Phishing schemes were up 11 percent, and ransomware was up six percent. These sometimes go hand-in-hand, which is a different metric. Both phishing and ransomware result in potentially devastating ends. Most well publicized hacking narratives—think Target, Blue Cross/Blue Shield, Equifax, or Sony—begin with a phishing expedition. In these cases, a hacker convinces Joe or Jane User that a phony email is legit, and then tempts them to click a weblink included in the spurious message. The link appears to be bona fide, useful even. In the best ironies, the link purports to heighten security once clicked. Good one, hacker.
Ransomware also tends to begin with a phishing act, though the results are pointed after the bait’s taken. The unwitting user who clicked the link launched an encryption program that takes all the affected information and scrambles it to the point of being unreadable or unusable. The recent Colonial Pipeline incident was in this style, and we now know that Colonial paid $5 million in ransom. Also, suspiciously, we now know that DarkSide, the Russian hacker group that orchestrated that attack, claims they’ve now disbanded. Great! Our security woes are over! Mm-hmm.
Verizon’s report stated the obvious, which is that the pandemic’s effects profoundly lent to the year’s expanded breaches. How many times even in this column have you read about the clear, new risks of moving operations from a well-planned and secured office environment to the ol’ homestead where security doesn’t get much more attention than a one-time router password change (if that time even happens)? The report also described the upshot of these trends on the rise. The run-of-the-mill breach costed its victim over $20,000 on average. Nearly all breaches’ costs fell between around $1,000 and $650,000, an admittedly wide berth, which makes risk management a little trickier than if one could count on a smaller range of costs.
If you’re wondering whether you, your business, or your other interests are at risk, the report examined the range of hackers’ targets, too. The regular set of banks, healthcare, and retailers are ever-present, and one of the newest aims in vogue comprises public agencies, the government in a word. We in America, alongside the other 22 nations in North America, tend to be more of the financially motivated targets. Most regions face the same drivers—money—though political attacks continue to be in the mix.
All told, not so pretty. Neither is it unexpected. Now, at least, you’re forced to reckon if you’d not already been on guard.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
