DBIR Verizon 2023: What’s new this year and the top takeaways for SMBs

Contrary to popular perception, small and medium enterprises (SMEs) are often the target of cyberattacks. That’s understandable, as in WE And English, they comprise over 99% of businesses, the majority of private sector jobs, and about half of revenues. But if you’re an IT or business leader in a smaller organization, how do more with less is a critical challenge.

With fewer resources to devote to cyber risk mitigation, the focus must effectively prioritize where they are directed. As ESET’s recent SMB Digital Security Sentiment Report found, 69% of SMBs reported a breach or strong indication of one in the last 12 months, highlighting the need for urgent action.

For this you need hard data. Where do attackers focus their efforts? Who are they? And how successful are they? While there are multiple sources of such information, one of the most rigorous analysis of the threat landscape is Verizon’s annual report Data Breach Investigation Report (DBIR). Its newest edition is a gold mine of information that SMBs can use to enhance their security strategy.

Where are the main cybersecurity threats to business?

DBIR 2023 is based on an analysis of 16,312 incidents, of which about a third, or 5,199, were confirmed as data breaches. One of the benefits of this long-running series, now in its 16th year^th year, is that readers can also evaluate current trends against historical patterns. So what’s so special about this edition?

Here are some key takeaways for SMEs:

• Attack surface meets: Despite their many differences, SMBs and larger organizations are actually becoming more alike, according to Verizon. Increasingly they are using the same infrastructure and services, such as cloud-based software, which means their attack surfaces are more in common than ever before. In fact, in terms of factors such as the type of threat actor, motivation and pattern of attack, the report’s authors admit “there are so few differences by organization size that we struggle to make any distinction.” For example, system tampering, social engineering, and basic web application attacks account for 92% of SMB breaches today, compared to a slightly lower share (85%) in large companies with more than 1,000 employees. Additionally, 94% of threat actors are external, compared to 89% in large organizations, and 98% of breaches are financially motivated (versus 97%).
• External attackers are the biggest threat: Third-party threat actors are responsible for 83% of breaches today overall, increasing to 94% in SMB attacks. That compares with 19% of all violations for which internal actors were responsible, dropping to just 7% for SMEs. Interestingly, 2% of SMB violations can be traced to “multiple” sources, which Verizon says means a combination of internal, external, and partners working in collusion. However, the overall insider risk is minimal for small companies.
• Financial motivation is number one: The vast majority (95%) of breaches were financially motivated, increasing to 98% for SMB attacks. This is a clear indication that organized crime as opposed to the nation state is the main threat to small companies. In fact, espionage only accounts for 1% of SMB violations.
• Humans are the weakest link: The main method of entry into victims’ networks was stolen credentials (49%), followed by phishing (12%) and vulnerability exploitation (5%). This shows employees as the persistently weak link in the security chain. In fact, humans played a role in 74% of the offenses. This can happen due to the use of stolen credentials and phishing, or other methods such as misconfiguration or the wrong transmission of sensitive data. This also aligns with the ESET SMB Digital Security Sentiment Report 2022, which found employees’ lack of cyber awareness (84%) to be a key driver of risk.
• Business email compromise (BEC) does two things: The volume of “pretext” cases (which Verizon says is similar to BEC) doubled across all incidents since the previous DBIR. That makes pretext a bigger threat than phishing, though phishing is still more prevalent in actual data breaches. At BEC, victims are tricked into sending large sums of money to attacker-controlled bank accounts. This type of deception is another sign of how important the human factor is in attacks. While there are no specific SMB statistics here, the average amount stolen via BEC has increased to $50,000.
• Ransomware remains a major threat due to soaring costs: Ransomware is now a feature of a quarter (24%) of breaches, thanks to a double-extortion tactic that means data is stolen before it’s encrypted. That share hasn’t changed much from last year, but Verizon warned that threats are “everywhere among organizations of all sizes and across all industries.” The average cost more than doubles annually to $26,000, although this may be an underestimation.
• Intrusion system top attack types: The top three attack patterns for SMB breaches respectively are system tampering, social engineering, and basic web application attacks. Together they represent 92% of the offense. System intrusion refers to “complex attacks that utilize malware and/or hacks to achieve their goals,” including ransomware.

Using DBIR to improve cybersecurity

The question is how you can turn these insights into action. Here are some best practice control which can help mitigate system intrusion attacks:

• Security awareness and training programs designed to mitigate a variety of threats, including insider threats.
• A data recovery process that can help after a ransomware attack.
• Access control management, including processes and tools for creating, assigning, managing, and revoking access credentials and privileges. This can include multi-factor authentication (MFA).
• Incident response management to quickly detect and respond to attacks.
• Application software security to prevent, detect, and remedy software weaknesses.
• Penetration testing is designed to increase resistance.
• Vulnerability management to help mitigate other types of threats such as web application attacks.
• Endpoint detection and response (EDR), extended detection and response (XDR), or managed detection and response (MDR), are used by 32% of SMBs and another 33% plan to deploy within the next 12 months, according to ESET.

This is by no means an exhaustive list. But it’s a start. And often that’s half the battle.

To learn more about SME perceptions of cybersecurity, including where their evolving security needs are driving them, visit ESET’s SME Digital Security Sentiment Report 2022.