Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Verizon DBIR 2024 reveals new threat trends

The number of confirmed incidents and breaches doubled over the previous year, as tracked in Verizon’s Data Breach Investigations Report. Now in its 17th year, the respected publication tracked activity across 94 countries. It analysed almost 30,500 incidents and 10,626 confirmed data breaches. 

Among the key takeaways were: vulnerability exploits rose 180 per cent compared to the previous year. Non-malicious human elements were a factor in 68 per cent of breaches. This category is where the user unwittingly causes a breach by making a mistake or falling for a phishing email. This is roughly on par with previous DBIR findings. Ransomware attacks were the top threat for most industries, accounting for 23 per cent of breaches in the report. (Which was still slightly down on last year’s report.) Verizon found that organisations can take 55 days to address half critical vulnerabilities once patches are available.

Covering the findings, SC Magazine gave the example of MOVEit, the zero-day exploit that led to the third-party breach of 1,000+ organisations. Security Week highlighted an encouraging development that growing numbers of users are getting better at spotting phishing. The DBIR found that 20 per cent reported the attempted phish without clicking the link in the suspicious email. Verizon has a summary of the findings complete with at-a-glance graphics (free registration required). The full 100-page report is available here.

Microsoft pivots to prioritising security

Microsoft, the world’s largest software company, has said it’s making security a top priority. In a company memo, CEO Satya Nadella declared: “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.” He said this could mean prioritising security above releasing new features or supporting legacy systems. Microsoft followed this with a blog detailing six actions the company will take as part of its Secure Future Initiative. Those actions are: protect identities and secrets; protect tenants and isolate production systems; protect networks; protect engineering systems; monitor and detect threats; accelerate response and remediation. Three principles will guide Microsoft’s evolved security approach: secure by design, secure by default; and secure operations. 

The development came against a background of serious security incidents at the company that led to a “scathing” reprimand from the US Cyber Safety Review Board. Brian Honan, writing for SANS, commented: “While a welcome move, it is deeply disappointing that it took a breach and the CSRB report for Microsoft to take these steps. The products and services we rely on should already be built with the principles outlined above. One has to wonder how many other vendors are not focusing on security and will only do so in response to a breach of their products/services.”

Some reports speculate that the move could trigger other companies to compete on offering better security. If so, that can only be good news for customers. In related news, 68 tech companies signed up to a new code to make their software products and services more secure. Announced at RSA, ‘Secure by Design’ is a voluntary pledge led by the US Cybersecurity and Infrastructure Agency. Among the companies signed up are AWS, Microsoft, Google, Cisco and IBM.

Data protection and privacy developments 

Is public awareness of privacy increasing? Growing numbers of people want to take control of their data, as data subject access requests (DSARs) increased by 246 per cent in two years. That’s from DataGrail’s 2024 Data Privacy Trends Report. The most common request is for organisations to delete a person’s data. Some 80 per cent of DSARs came from jurisdictions that don’t have privacy laws. Here’s HelpNet Security’s writeup of the findings, and the full report is available here

The European Data Protection Board (EPDB) has launched its annual report, reviewing its work during 2023. Themed as ‘safeguarding individuals’ digital rights, it covers the adoption of two binding decisions and one urgent decision on common interpretations of data protection law. The report also includes examples of enforcement actions by national regulators. Separately, the EDPB also issued its opinion (PDF) that the pay-or-consent models of large online platforms won’t comply with GDPR requirements for obtaining valid consent. 

Links we liked

Trend Micro has a hype-free look at how criminals are using generative AI. MORE

Leviathan’s study could make you think twice about using VPNs for security. MORE

Researchers have assembled the first ever ‘World Cybercrime Index’. MORE

A meta-review of studies that empirically evaluate cybersecurity controls. MORE

(Un)happy birthday to ransomware, which began infecting victims 10 years ago. MORE

And in better news, Chainalysis says fewer ransomware victims are paying up. MORE

The British Library’s ransomware review has plenty of ideas to borrow (ahem). MORE

A case that gives new meaning to the phrase “keeping the lights on”. MORE

NCSC: Consider products on your perimeter at risk until proven otherwise. MORE

Ireland’s .ie domain registry has a guide to cybersecurity for SMEs. MORE

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here

About the Author: admin

Let’s Talk

Head Office

The LINC Centre,
Blanchardstown Road North,
Dublin 15, Ireland

Email

info@bhconsulting.ie

Call

+353 1 440 4065

Please leave your contact details and a member of our team will be in touch shortly.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.