If you’ve been following my blogging for several years, you know that I like to cover the Verizon Data Breach Investigations Report (DBIR) every year, which analyzes the reported cybersecurity and data breach incidents for the year.  The 2021 Verizon DBIR Report just came out – today!

The 2021 Verizon DBIR report came out this year three weeks earlier than the pandemic-delayed 2020 version.  This is the fourteenth year of the report and the seventh year (in a row) I’ve covered it.  Hey, I got here as soon as I could!

The report doesn’t start with an interesting quote like it normally does, though the Verizon team does say “Thanks for simply making it through the often frightening and always unpredictable dystopian wasteland that was 2020, and still having enough interest and energy to care about making the world a safer place.”

The report does start with an interesting design on the cover.  There are eight pendulums on the cover (a portion of which is shown above), each of which “represents one of the new patterns in the DBIR. The weight of the pendulum represents how often the pattern occurs. The length of the pendulum is how often they are breaches, as opposed to simply incidents. Just like in security, it’s difficult to predict where they’ll be in the future.”  Clever, huh?

This year Verizon analyzed 79,635 incidents (barely over half of last year’s total of 157,525), “of which 29,207 met our quality standards and 5,258 were confirmed data breaches, sampled from 88 countries around the world.” As always, they include breakouts for 11 of the main industries, the SMB (small business) section, and they revisit the various geographic regions studied in the prior report to see how they fared over the last year.

The 2021 Verizon DBIR report is also 119 pages (which is exactly the same number of pages as last year’s report – what are the odds?).  So, it’s very comprehensive.

Here are a few notable takeaways and stats from the Executive Summary (even that is 19 pages!):

• Ransomware is still on the rise. Ransomware appears in 10% of breaches—more than double the frequency from last year. This upward move was influenced by new tactics, where some ransomware now steals the data as they encrypt it. That puts Ransomware now in third place among actions causing breaches.
• Vox populi… (might have said too much). Eighty-five percent of breaches involved the human element. Phishing was present in 36% of breaches in our dataset, up from 25% last year. Business Email Compromises (BECs) were the second-most common form of Social Engineering. This reflects the rise of Misrepresentation, which was 15 times higher than last year.
• Errors were (slightly) less of a problem. Errors decreased last year as a percentage of breaches (from 22% to 17%), although they increased in absolute terms from 883 to 905 breaches. This breaks a three-year streak in Errors percentage either growing or remaining consistent.
• Attackers still like your web apps. Attacks on web applications continue to be high. They are the main attack vector in Hacking actions, with over 80% of breaches. In addition, Desktop sharing has moved into second place in Hacking vectors.
• Mostly cloudy. Compromised external cloud assets were more common than on-premises assets in both incidents and breaches. Conversely, there was a decline of user devices (desktops and laptops) being compromised. This makes sense when considering that breaches are moving toward Social and Web application vectors, such as gathering credentials and using them against cloud-based email systems.
• What’s the password? Some things never seem to change: Breaches, as always, continue to be mostly due to external, financially motivated actors. And 61% of breaches involved credential data.
• That was quite a year. In August 2020, Verizon speculated COVID-19 would lead to an increase in Phishing, Ransomware, Errors and Use of stolen credentials on web applications. In the 2021 DBIR, they found we were partially correct: Phishing increased by 11% and Ransomware increased by 6%. But the Use of stolen creds and publishing errors stayed consistent with last year (1% and -0.5% respectively), while Misconfiguration and Misdelivery decreased as a percentage of errors (-2% and -6% respectively).
• Breaches have price tags. This year, they attempted a deeper analysis of the impact of breaches on organizations. Using loss data, insurance cost data and stock price data, we have modeled the range of losses due to incidents. The good news? Fourteen percent of simulated breaches had no impact. But don’t count on that for your organization’s security plan. The median for incidents with an impact was $21,659, with 95% of incidents falling between $826 and $653,587. Of course, some incidents (e.g., SolarWinds and Colonial Pipeline) likely will cost WAY more than that ultimately.

As always, the 2021 Verizon DBIR report is chock full of graphics and statistics which makes it easier to read than the size of the report indicates. You can download a copy of the report (and the Executive Summary if you want to only hit the highlights) here.  But I recommend that you check them both out!

So, what do you think?  Have you ever experienced any data breaches, either personally or professionally?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.