Phishing and credential theft associated with cloud-based mail accounts
have risen as the prominent attack types.
670 incidents, 157 with confirmed data disclosure
Top 3 Partners
Web Applications, Everything Else, and Miscellaneous Errors represent
81% of breaches within Professional Services
External (77%), Internal (21%), Partner (5%), Multiple parties
Financial (88%), Espionage (14%), Convenience (2%) (breaches)
Credentials (50%), Internal (50%), Personal (46%) (breaches)
Wide range of services, narrower range of threats
Professional Services is a broad category even by NAICS standards, and the members of its ranks include law offices, advertising agencies, and engineering and design firms to name only a few. Starting with a focus on the data lost in the 157 Professional Services breaches, Figure 56 gives us an idea of the types of data most commonly involved in these cases.
- 2019 DBIR
- Cyber Security Basics
- 2019 DBIR: Summary of Findings
- Results & Analysis
- Event Chains & Attack Paths
- Data Breach Incident Classification Patterns
- Why Hackers Hack: Motivations Driving Enterprise Data Breaches
- 2018 Data Breach Statistics By Industry
- Data Breaches in Accommodation & Food Service Industries
- Data Breaches in Educational Service Industries
- Data Breaches in the Financial Services and Insurance Industries
- Healthcare Data Breaches & Security
- Data Breaches in the Information Industry
- Data Breaches & Cybersecurity in the Manufacturing Industry
- Data Breaches in the Professional Services Sector
- Data Breaches in Public Administration
- Data Breaches in the Retail Industry
- Wrap up
- DBIR Appendices
- Download the full report (PDF)
We see an overall increase in Personal data and Credentials breached. A lot of this comes from breaches now compromising multiple data types at the same time. Often, credentials are the key that opens the door for other actions. Figure 57 shows that most of the time, it’s on the way to compromise Internal and/or Personal data. This is indicative of gaining access to a user’s inbox via webmail login using stolen credentials.
Sometimes you just have to ask
Credentials compromising email...sounds a lot like Business Email Compromise doesn't it? Figure 58 provides ample evidence that BECs are an issue for Professional Services. Financial staff were the most likely to be compromised in incidents involving fraudulent transactions, but it should be noted that executives were compromised in 20 percent of the incidents and are 6x more likely to be the asset compromised in Professional Services breaches than the median industry. You have to hand it to the attackers. At some point one must have thought “why don’t we skip all the hard hacking and just, you know, ask for the money?”
Paths of the unrighteous
To wrap up, Figure 59 illustrates the single step Misuse and Error breaches, but also shows us the Social and Hacking breaches that take slightly longer to develop. All of it provides excellent immediate teaching moments for any organization.
Things to consider
One is the loneliest number
We don’t like saying it any more than you like hearing it, but static credentials are the keys. Password managers and two-factor authentication are the spool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-9’s on most of your entrances if you’ve got one in the back rocking a screen door.
You know a great way to capture credentials? A social attack. At least we know where it’s coming from. Monitor email for links and executables (including macro-enabled Office docs). Give your team a way to report potential phishing or pretexting.
To err is human
Set your staff up for success. Monitor what processes access personal data and add in redundant controls so that a single mistake doesn’t result in a breach.