Financial gain is the highest motive for External actors, with Web Applications being 39% of breaches. Error among employees is another issue for this sector, particularly with regard to Misconfiguration and Misdelivery. While Credentials are a desirable target, it is Personal data that is most frequently stolen here.
107 incidents, 66 with confirmed data disclosure
Web Applications, Miscellaneous Errors, and Everything Else represent 83% of breaches
External (68%), Internal (33%), Multiple (2%) (breaches)
Financial (60%—98%), Espionage (0%—28%), Convenience/Fear/Fun/Grudge/Other/Secondary (0%—15% each) (breaches)
Personal (81%), Other (42%), Credentials (36%), Internal (25%) (breaches)
Boundary Defense (CSC 12), Implement a Security Awareness and Training Program (CSC 17), Secure Configurations (CSC 5, CSC 11)
Data Analysis Notes
Actor Motives are represented by percentage ranges, as only 12 breaches had a known motive. Some charts also do not have enough observations to have their expected value shown.
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Educational Services
- Financial and Insurance
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
Break on through to the other side
The Other Services (NAICS 81) industry is also new to the report this year. This NAICS code is one of several that are surprisingly broad, covering everything from various personal and repair services to non-profit religious and social benefit organizations. Oddly enough, it even includes a subcode (814) for private households, but those are not represented in this dataset. For an incident to be eligible for inclusion in the DBIR, there must be a victim organization—since that is where the laws focus, and where the controls are most likely to have good effect. As we have mentioned in the other new sections, while this is the first year we are including this industry in the report, we have data going back a few years on this sector.
Jockeying for that Top Spot
The top breach patterns in this industry were Web Applications attacks, Miscellaneous Errors, and Everything Else. When looking at the incident patterns (not confirmed data breaches), the patterns remain the same, albeit in a different order.
The main change from last year’s data for this vertical is the drop in the Cyber-Espionage pattern. Last year it held the first place slot in the footrace, and you can see from Figure 82 that is has since told the other patterns “go on ahead, I’ll catch up” as it struggles to catch its breath. Consistent with this change, we’ve seen the variety/motivation of the External actor breaches transform from State-affiliated/Espionage into Organized crime/Financial. It seems the people who like to go after data for the sheer joy of monetizing it have found a friend in this sector.
The Web Applications attack pattern includes the Hacking actions, and the favored action variety tends to be the use of stolen credentials. It makes sense—who wouldn’t like credentials when trying to break into some else’s computer? What burglar would say no to a set of free keys? And while the use of a backdoor or Command and Control (C2) infrastructure is always nice, if you can just waltz in the front door, why exert yourself? Do you enjoy being asked questions?
What can go wrong will happen to me.
The Miscellaneous Errors pattern is all about the mistakes your employees make. Two stand out from the rest in the field of errors for Other Services: Misconfiguration and Misdelivery (Figure 83). Misconfiguration errors are the frenemies of Information Security. These breaches are caused by Internal actors (frequently a system admin or DBA, as they have access to large amounts of data) doing things such as standing up an instance of the data on a cloud platform, but neglecting to put in any security controls to limit access. Once that happens, it is a matter of time before the intrepid security researchers out there find it via their search tools and someone gets a call.
Misdelivery - when sensitive data goes to the wrong recipient(s) - is the other most Common Error in this sector. A good example is when the autocomplete in an email To: or Cc: field occurs and directs to the incorrect party. In other instances, it is the mass-mailing misstep where the addresses are no longer paired with the correct contents. It is never good to have your customer open a letter only to find someone else’s Personally Identifiable Information (PII) inside.
Finally, we have the Everything Else pattern, which is our version of potpourri. This is where the attacks that do not meet the criteria of the other patterns end up. Not exactly the fragrant flowers of the security breach world, these attacks are frequently made up of phishing attacks in which not a great deal of detail was provided.
The business email compromises also live within this pattern. They typically come in two main flavors: the pretext and the C-level impersonation. For the pretext, there is an invented scenario and usually an attempt to get either an invoice paid or a direct wire transfer to an adversary-controlled bank account. They may compromise the mail account of the executive and wait until the person is traveling to elevate the sense of urgency, and to minimize the ability to contact the person in order to verify the legitimacy of the request. The latter type is when the actor pretends to be a member of the executive suite, but they ask for data rather than a wire transfer. Figure 84 illustrates that phishing and pretexting are still thriving in this vertical. Both of these social engineering actions typically arrive via email.