Breaches are composed of a variety of actions, but Social attacks such as Phishing and Pretexting dominate incident data (no confirmation of data disclosure). Cyber-Espionage-motivated attacks and incidents involving OT assets are also concerns for these industries.
194 incidents, 43 with confirmed data disclosure
Everything Else, Web Applications and Cyber-Espionage represent 74% of breaches.
External (75%), Internal (28%), Multiple (2%) (breaches)
Financial (63%—95%), Espionage (8%—43%), Convenience/Other/Secondary (0%—17% each), Fear/Fun/Grudge/Ideology (0%—9% each) (breaches)
Credentials (41%), Personal (41%), Other (35%), Internal (19%) (breaches)
Secure Configurations (CSC 5, CSC 11), Boundary Defense (CSC 12), Implement a Security Awareness and Training Program (CSC 17)
Data Analysis Notes
Actor motives are represented by percentage ranges, as only 21 breaches had a known motive.
It’s an NAICS mashup
This new section combines the Mining, Quarrying, and Oil and Gas Extraction (NAICS 21) with the Utilities (NAICS 22) industries for a joint view of the incidents and breaches that affected them. We really dug deep, but we were unable to strike oil for an exclusive section for NAICS 21 on this year’s report. (There must be a minimum number of incidents for the statistics to be valid.) However, we believe that this blended section with NAICS 22 will be an electrifying read and hopefully not too dry.
If you review Figure 80, you can see that while Everything Else, Web Applications and Cyber-Espionage seem to be the top three patterns in breaches, it is statistically impossible to tell which one is more prevalent—they simply overlap too much. It’s exciting to have such a diversity of breaches in a brand-new industry section, but it also makes it difficult to focus on precise recommendations beyond “Note to all CISOs: Secure all the things!”.
Even so, it is important to point out that the Everything Else pattern, both in incidents and breaches, is dominated by Phishing with mostly financial gain as a motive, including pretexting attacks that were clearly FMSEs.