Vulnerability exploitation nearly tripled in 2023

The report analysed a ‘record-high’ 30,458 security incidents and 10,626 confirmed breaches in 2023— which it says is a two-fold increase over 2022. A 180% spike in the exploitation of vulnerabilities was as driven by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (known as zero-day vulnerabilities) by ‘ransomware actors’.

The MOVEit software breach was one of the largest drivers of these cyberattacks, we’re told, initially in the education sector but which later spread to the finance and insurance industries.

The report said that AI was ‘less of a culprit vs challenges in large-scale vulnerability management’ – in what it described as a possible relief to some anxieties that surround the burgeoning sector.

“The exploitation of zero-day vulnerabilities by ransomware actors remains a persistent threat to safeguarding enterprises,” said Chris Novak, Sr. Director of Cybersecurity Consulting, Verizon Business. “While the adoption of artificial intelligence to gain access to valuable corporate assets is a concern on the horizon, a failure to patch basic vulnerabilities has threat actors not needing to advance their approach.”

15% of breaches involved a third party, such as data custodians, third-party software vulnerabilities, or other direct or indirect supply chain issues. These types of breaches increased 68% YoY.

68% of all breaches, whether they included a third party or not, involved a ‘non-malicious human element’, a jargonistic term which means a person making an error or falling prey to a social engineering attack.

“The persistence of the human element in breaches shows that there is still plenty of room for improvement with regard to cybersecurity training, but the increase in self-reporting indicates a culture change that destigmatizes human error and may serve to shine a light on the importance of cybersecurity awareness among the general workforce,” Novak added.

15% of breaches involved a third party, such as data custodians, third-party software vulnerabilities, or other direct or indirect supply chain issues. These types of breaches increased 68% YoY.

In terms of the timescales involved, analysis of the Cybersecurity Infrastructure and Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue revealed that on average it takes organizations 55 days to ‘remediate 50% of critical vulnerabilities’ following the availability of patches, while the median time for detecting the mass exploitations of the CISA KEV on the internet is five days.

“This year’s DBIR findings reflect the evolving landscape that today’s CISO’s must navigate-- balancing the need to address vulnerabilities quicker than ever before while investing in the continued employee education as it relates to ransomware and cybersecurity hygiene,” said Craig Robinson, Research Vice President, Security Services at IDC. “The breadth and depth of the incidents examined in this report provides a window into how breaches are occurring, and despite the low-level of complexity are still proving to be incredibly costly for enterprises.”

Other data points in the report include 32% breaches involved some type of extortion technique (including ransomware), over the past two years around 25% of financially motivated incidents involved ‘pretexting’ (a social engineering technique), and the use of stolen credentials appeared in 31% of breaches over the last decade.

Earlier this week, the UK government introduced new regulations mandating that internet-connected smart devices meet ‘minimum-security standards.’ Manufacturers will be banned from selling gadgets with weak and easily guessable default passwords like ‘admin’ or ‘12345’, and if there is a common password, the user must be prompted to change it on start-up.