Verizon’s 2021 Data Breach Investigations Report (DBIR) analysed over 79,000 cyber security incidents across 88 countries between November 1, 2019 and October 31, 2020. We have summarised specific findings from the report, focusing specifically on the APAC region; SMBs; and the education and information industries.

Breaches include confirmed disclosure of information to an unauthorised party. These figures do not include incidents, which are defined as ‘a security event that compromises the integrity, confidentiality or availability of an information asset.’

Breaches across the APAC region

Data breaches across APAC were disproportionately targeted at the public sector, with over 50% of recorded breaches occurring in public administration organisations. The mining sector came second, attracting roughly 30% of data breaches in APAC.

The majority of threat actors were external, with nearly all – 96% – of breaches being motivated by financial gain. Just over a third of the attacks led to a verifiable disclosure of data, with the majority of disclosed data being compromised credentials. The breaches were achieved mostly via social engineering or basic web application attacks, rather than anything particularly sophisticated.

This summary is based on 5,255 incidents reported across APAC throughout a 12-month period.

Data breaches in SMB

Verizon’s report examined data breaches for small and medium business (SMBs) across 88 countries. Large businesses (those with more than 1,000 employees) reported 307 breaches in 2020. Small and medium organisations (with fewer than 1,000 employees) reported just 263 breaches. Experience tells us that smaller organisations are less equipped to respond to such breaches and may lack the structures to report on the breaches appropriately. We can speculate that the number of breaches in SMBs may be higher than reported, although we have no way of verifying this assumption.

The first thing we noticed while analysing the data by organisational size this year was that the gap between the two with regard to the number of breaches, has become much less pronounced. Last year, small organisations accounted for less than half the number of breaches that large organisations showed. Unlike most political parties, this year these two are less far apart with 307 breaches in large and 263 breaches in small organisations. 

The report also revealed that small and large businesses experienced similar data breach patterns. Both experienced primarily basic web application attacks and system intrusions.

Miscellaneous errors and web applications primarily impacted small organisations in 2019. The main cyberattack types in 2020 were hacking and malware, including stolen credentials, followed by malware installation.

These findings also show that SMBs are slower in identifying data breaches than their larger counterparts. Larger businesses reported finding breaches in “days or less” in 55% of the cases, while small organisations progressed at about 47%.

Data breaches in education

The education sector faced several challenges in 2020, primarily making the shift to remote learning. These challenges presented potential opportunities to criminals. These attacks were conducted with the aim of gaining access to vulnerable systems and data leveraged by learners.

The total number of incidents in the Education sector was 1,332, with 344 breaches reported.

Social engineering was the leading avenue of entry for threat actors in the education sector. Straightforward phishing emails were frequently enough to compromise an educational institution’s security, emphasising the need to better educate users on recognising such an approach.

Miscellaneous errors were also a common cause of data breaches in the Education sector. The most frequently noted error was misconfiguration of databases, spun up without the benefit of access controls. We see an “open” approach to data in the Education sector to support widespread sharing of knowledge – often a good thing – but not when that openness leads to a threat actor getting access to the wrong data.

The threat actor’s goal in most reported breaches cases was financial, similar to the corporate sector.

Data breaches in the Information Industry

Unlike other industries and segments we have reviewed, the Information Industry was less vulnerable to social engineering attacks. We can cautiously attribute this to better levels of cyber education, and tighter security controls overall.

Miscellaneous errors, system intrusions, and basic web application attacks accounted for 83% of breaches in this industry. While the error breaches percentage has not increased in the past few years, it remains a persistent issue in the information industry.

We also noted a relatively high percentage of insider attacks in the Information Industry, an unfortunate outcome of employing technically proficient individuals. Education, for example, only attributed 20% of breaches to insiders, whereas the Information Industry reported close to 40% of breaches as insider attacks.

When analysing the incidents, the findings state that the Information industry reported a high level of Denial of Service (DoS) attacks. DoS alone accounted for more than 90% of external hacking actions leading to a breach.

Lost and stolen devices

Lost, misplaced, or stolen devices easily lead to a data breach. 2020 led to a higher occurrence of user device related breaches thanks to people working away from the office more. More time in an unmanaged environment led to more opportunities to misplace a laptop or phone. This underlines the importance of centralised endpoint management for every device users are accessing company information from, so it can be locked or erased in case it is physically misplaced.

The problem extends beyond a typical corporate device such as a user’s laptop. In 2020, about 43% of the asset breaches with known data breach were media devices, while the remaining were laptops and desktops.

Cyber security and CT

Since Verizon published their report, we have seen new incidents impact billions of users and some very well known brands. Google Chrome and Microsoft were subject to a zero-day exploit in June 2021. Cyber security software provider Kaseya was hit in July 2021 with a ransomware attack on its VSA servers. And continued lockdowns and stay-at-home orders around the world continue to expose data via users who are operating outside corporate networks.

Our team of cyber security experts can work with you to design and implement a robust cyber security strategy with the pressures of today’s world in mind. Visit our cyber security page to learn more about our approach.