Search
Close this search box.
EPISODE 120
The 2022 Verizon Data Breach Investigations Report (DBIR) Part 2

EP 120: The 2022 Verizon Data Breach Investigations Report (DBIR) Part 2

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

December 6, 2022

Let’s conclude our look at the 2022 Verizon DBIR report. Today we’ll review the data by industry and some other tidbits with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them cr-map.com and klgates.com.

Jake Bernstein: So, Kip, what are we going to talk about today on episode 120 of the Cyber Risk Management Podcast?

Kip Boyle: 120. Man, I love that number. I can't believe we've done 120 episodes. I think that is so cool.

Jake Bernstein: It is Cool.

Kip Boyle: Today is part two of our annual Verizon Data Breach Investigation Report discussion, DBIR.

Jake Bernstein: Yay.

Kip Boyle: Yep.

Jake Bernstein: Excellent.

Kip Boyle: Yep. And okay. So, last time, what did we do? We talked through the first two chapters of the report's overall findings. This is a big report, and we can't possibly cover it all in just two episodes, so we're cherry picking, right? We're bringing, we think, the most helpful conclusions and insights to you. So, today what we're going to do is we're going to briefly discuss the new attack patterns, and then we're going to dive into-

Jake Bernstein: My fault. I didn't actually update that little paragraph there. They're not new this year. They were new last year.

Kip Boyle: Okay.

Jake Bernstein: And I'll take over here for one second. While we are going to dive into the industry-specific numbers, something we didn't do, last year, was actually discuss the patterns. We found it to be, they were complicated, but this year, we are going to talk a bit about the patterns, and so enjoy. Okay, now, Kip, you may commence diving in.

Kip Boyle: Okay. So, they're not new, but it's new that we're talking about them.

Jake Bernstein: Yeah. They were new last year.

Kip Boyle: Right, not this year.

Jake Bernstein: Not this year, though.

Kip Boyle: It's just new that we're talking about them this year. Okay, great. And then, we're going to dive into some industry-specific numbers, and I love the fact that they have industry-specific numbers. There was a report that came out, a few years ago, and they omitted them. And I wrote an email, and I said, "You can't do that. I need that information because I've got customers in different industries." And fortunately, they had made the graphics and everything, but they just, for whatever reason, didn't distribute them with the report. And now, I'm glad to see that it's back all the time.

All right. So, last year, we noticed that the number of attack patterns had decreased. They had nine, and then they went down to eight. And there's no further changes to the patterns, this year, but the frequency of the patterns has changed. So, last year, here's the order. We had social engineering in first place, which was about 30% of the time, followed by basic web application attacks, at about 27%, then came system intrusion, 20%, and then miscellaneous errors, 15%, so that was last year. This year, system intrusion screams into first place. It went from 20%. Now, it's just over 40% of all breaches. Basic web application attacks overtook social engineering, both of them between 20 and 23%, so they're neck and neck, vying for second place. And then, you've got a whole grab bag. Miscellaneous errors, privilege misuse, lost and stolen assets, all hold steady at 15, 5, and 3% respectively, so that's the summary of our attack patterns.

Jake Bernstein: It is. So, okay, they really do provide a lot of data about all these incident patterns. And it's between pages 25 and 48, so here's a big chunk of the report. And actually, I just realized, Kip, I've stolen your section, so why don't you finish this-

Kip Boyle: Oh, no.

Jake Bernstein: ... just so we can stay on track here. Otherwise, I'm going to get real confused. This was too complicated to get confused on who's on what.

Kip Boyle: Who's on first? I don't know. Third base.

Jake Bernstein: Yeah, I don't ... Yeah.

Kip Boyle: Okay. So, last year, we left the exploration of these patterns to a homework exercise for our listeners, but this year, we're going to dig in because it's really important. And as Jake said, there's a glorious symmetry to mentioning it, right now, because last year, when we brought your attention to a brief discussion for using behavioral science to create effective security cultures. We recorded two episodes on that, right? We were so inspired, so that was episode 88 and 89. So, if you go to cr-map.com/88, it'll take you right to that first episode about creating effective cybersecurity cultures, and then listen to them both because I still use them. I still refer to them when I work with customers.

Now, this year, we're just simply going to suggest that you check out appendix C, which is about changing behavior. As the DBIR points out, the involvement of the human element has only decreased by 3%, from 85% to 82%, and strong asset management and stellar vulnerability scanners won't stop this, won't solve the problem. So, there's a great little cheat sheet in the report of how you can evaluate whoever you're hiring to help you change behavior. I'm not going to spoil it, but if you go to pages 98 and 99, you'll find it there. Check it out.

Jake Bernstein: Thank you, Kip. Yes, it is interesting, and it's a great follow-up from last year. Last year is when, as we said, they dumped in that little discussion about behavioral science, and this year they've got, okay, how do you-

Kip Boyle: Yeah. It was a sidebar, but it was amazing.

Jake Bernstein: It was a sidebar. Yeah. Okay, so I'm excited to spend a bit of time with the patterns this year. Don't worry. We're still going to discuss the industry specific data, but of course, we've got what, 100 almost ... Well, not quite. We got 90 pages of this thing left to go, to talk about, and we can only go so deep on it. So, first, what is system intrusion, right? It's spiked. So, I'm going to read the definition from the little table. It's pretty short. System intrusion captures the complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying ransomware.

So, that's the definition in the chart, which you can find around page 25. But let's give ourselves a good example, and the DBIR suggests this one, which is a quote. When you think of advanced, persistent threat, APT, or some other form of capable actor, moving across the environment, popping shells, dropping malware, jumping creds, and doing all the fun stuff you would expect from a unexpected red team exercise, that is system intrusion. And that is why the headline for this pattern is a very appropriate, it's complicated. By definition, this is the type of attack that leverages combinations of actions across the social malware and hacking categories, and it also includes all those supply chain breaches and includes ransomware, both of which spiked big time in 2021.

So, let me talk about, if you remember, from last episode, the action varieties and vectors, right? And so, what we're going to do is what a pattern is, is a collection of varieties and vectors, and here they are in order. Backdoor or C2, which is one, if you recall, ransomware, and then backdoor-

Kip Boyle: All by itself.

Jake Bernstein: ... and then a big drop-off to use of stone creds, other, C2 on its own, downloader phishing, exploit vulnerability, Trojan, and capture stored data. These are all varieties of actions. The vectors here begin with partner and software update as the largest contributors, followed by desktop sharing software, email, web application, other, and then more. And yes, I'm not making this up. This is what the report says. These results were greatly impacted by a very public breach that rhymes with polar shins. So, yeah.

Kip Boyle: I-

Jake Bernstein: I know. It's not my fault. It's not my fault, Kip. A direct quote. What are we talking about? Obviously, SolarWinds.

Kip Boyle: I know, but it sounds like something you'd say.

Jake Bernstein: Yeah.

Kip Boyle: So, it's just-

Jake Bernstein: Yeah, it does.

Kip Boyle: ... I'm sorry, but I just have to laugh.

Jake Bernstein: I think that's one of the reasons I love-

Kip Boyle: You could've written this report.

Jake Bernstein: ... It's one of the reasons I love the DBIR is it's so funny.

Kip Boyle: It is. It is.

Jake Bernstein: Okay.

Kip Boyle: It is brimming with mirth.

Jake Bernstein: It is. Okay, so go ahead, Kip.

Kip Boyle: By the way, SolarWinds for anybody who is, for whatever reason, not picking up on polar shins. Okay, so we even have data about the delivery methods of the initial payloads. This is amazing. Unsurprisingly, office documents and email remains the favorite methods because they work, and I just have to sidebar here for a second. I was talking with somebody, the other day, and I said, "How dumb is it that we keep telling people, don't click on unexpected links, and don't open unexpected file attachments, because guess what? There's people out there who, if they stopped doing that, they'd get fired from their jobs. Internal recruiters getting resumes, sales people receiving purchase orders, accounts payable folks getting invoices from ... And they all get these from people they don't know, and they all have to open them up, and they're not getting any extra protection from us."

And I just think that's one of the reasons why this continues to happen, so anyway, we've got to get better. All right, now, end of rant. We also have even more data about how ransomware finds its way onto our systems. So, we can't promise that this data is still useful because the dataset's old, and then the threat is dynamic, right? But I want you to know this anyway, Jake and I do. 40% of ransomware incidents involve desktop sharing software, again, something like RDP or Team Viewer, something like that. I think Team Viewer is one. 35% involved email. And so, the takeaway here is you've got to lock down your externally-facing infrastructure, even though you hastily erected it, and you shifted your workforce into a remote workforce. But RDP and email are just gaping wounds, and the germs are just rushing in. And we just see it in this data set.

Jake Bernstein: We do.

Kip Boyle: There's way more data in there, of course. Go look at it. But yeah, take care of this, if you haven't already.

Jake Bernstein: Yeah, yeah. And so, there's a whole section about partner supply chains and third parties, as there should be, of course, and I want to point out something that the DBIR points out, is that there was a set of massive events in very late 2020, actually after the cutoff for the DBIR data collection for last year. So yes, those events and a couple other ones, Kaseya, for example, in 2021, definitely played an outsized role in messing around with this 2022 DBIR data set, but I agree with the authors. It's important to understand that this is likely just indicative of larger trends in the industry.

And to understand all of this, the DBIR is trying to understand third-party and supply chain breaches, which it turns out isn't easy. For better or for worse, the DBIR's methodology of coding incidents based on the victim, does create some challenges because there's this one victim, one incident mindset that conceals the true interconnectedness of this type of event. Now, I will say, as they do, that data collection practices appear to have been changing, and I think we're going to get better data, going forward. But here's what we have. So, third-party breaches only represent 1% of the breach data that we have, right now, but there are some interesting clues that emerge anyway. The top two action varieties are, of course, use of stolen credentials and ransomware. It's interesting, even if it's not very surprising.

Kip Boyle: Even the Target credit card data breach, from way back in the day, was stolen credentials from an HVAC service provider, so this has been going on for a long time. Okay. And then, we have the supply chain vector. So, the DBIR defines supply chain breaches as a sequence of one or more breaches chained together, which that's kind of vague. But okay, we'll go with it. And this can show up as a breach with secondary victims, as viewed from the primary victim's breach, or where the partner was the vector, which is true when we see it from the secondary victim's breach. So, for example, when a compromised software vendor is used to push a malicious update to an organization, and it results in a breach, or a generic partner breach, where a partner is compromised, and either a set of credentials or some trusted connection is used to gain access. Now, due to the SolarWinds hacks. I'm sorry, polar shins hack.

Jake Bernstein: Yeah, yeah. Polar shins.

Kip Boyle: The data is heavily skewed towards the backdoor or C2 and also backdoor as a standalone area because, of course, that attack involved pushing a backdoor to compromised servers. Way more information in the report, if you want to dive into it.

Jake Bernstein: Yep. And okay. So, before we move into our industry data discussion, I do want to point-

Kip Boyle: Which we will get to.

Jake Bernstein: ... which we will get to. I do want to point out what I think is a scary statistic. The action variety called exploit vulnerability has doubled, year-over-year. It was only 3.5%. Now, it is 7%. You may be thinking, eh, I don't care. That's a small number. But consider this. The exploit vulnerability action variety is one of the few entry points that does not involve any human element, and the takeaway from this section, which pages 31, 32, if you want the citation, is that the real story here is in the "long tails".

So, whenever you have statistics, you always have this mythical, median organization that doesn't actually exist in real life, and this is a good example of how this is true. The median organization in the dataset had basically no vulnerabilities, but yet, I just told you that the exploitation of vulnerabilities doubled in frequency to 7%. So, how does this make sense? And here's how it makes sense. The organizations that are several standard deviations from the median had plenty of vulnerabilities, and that's who the bad guys are looking for. And why can they look for you? Because discovering vulnerabilities is an automated process.

Kip Boyle: That's right.

Jake Bernstein: Super easy, right?

Kip Boyle: It doesn't matter how big you are.

Jake Bernstein: And the report, and just going to have to take their word for it because I don't understand all of this stuff involving the genie coefficient, but they do say we're getting better at patching faster and more effectively. And you should probably try to read that and try to understand it, but the really interesting part is that there is still a healthy amount of vulnerabilities out there that just don't get fixed. And as a lawyer, I look at that and say, "Man, I really don't want to have to represent you, if that's you, because it's just going to be so hard to defend."

Kip Boyle: It's unreasonable.

Jake Bernstein: It's unreasonable, exactly.

Kip Boyle: Yeah, it really is. And I'm sorry for throwing all the standard deviations and coefficients at you. If you're not steeped in advanced statistics or even basic statistics, for that matter, your eyes are glazing over. But honestly, it's important that the DBIR does mention these concepts because it's a way for you to know that this is a real report and not just a thinly veiled marketing piece because they went out and asked a bunch of people a few questions, and there's not a lot of real, statistical science behind it. That's one of the reasons why DBR is so awesome, is because it is a real research report. It's data driven, and it's wonderful.

Okay. Now, time for the industry data and the big picture here. So, the DBIR explains, at some length, why you shouldn't look at the raw numbers of incidents and breaches to draw conclusions about the state of security in an industry or a given industry's likelihood of being attacked, for a large variety of reasons. So, there's the caveat, and so, if you check out the data, I want you to keep that in your mind. And in fact, the specific recommendation for any given industry is to check out the top patterns and then go back and check out the patterns section, and we only skimmed the surface of that for useful details. And Jake and I agree that that is the way that you should do it. Now, there's some really neat heat-map-like charts this year, and they're located on pages-

Jake Bernstein: As there always are.

Kip Boyle: Yep, yep. And they're on pages 50 and 51. And this is where you can find the pattern, action, and asset, organized by industry code, and so you're going to need to know what your industry code is. Shouldn't be too hard for you to figure out. For example, this past year, manufacturing, as an industry, by far faced the most system intrusion style attacks that relied on hacking and malware to target servers. And this, of course, goes back to the SolarWinds debacle, but that's okay because this is exposing some real vulnerabilities for that industry. So, man, I really appreciate that the report does that.

Jake Bernstein: Yeah. Yeah, me too, for sure. So, I think that the thing to take away from the numbers and everything is you just got to, again, really just repeating what Kip said, don't draw the wrong conclusions. Read how the DBR looks at it, and I think you'll be well served.

Kip Boyle: Yeah. We don't want you going off in the wrong direction because you did a superficial interpretation.

Jake Bernstein: Exactly. Yeah.

Kip Boyle: Take the time to get it right because this is going to affect your spending decisions and your strategies for some time to come.

Jake Bernstein: It really will.

Kip Boyle: And that would be the opposite of what we want for you, from looking at this report, so go slow.

Jake Bernstein: So, Kip, since I know you have some clients in this industry, why don't you tell us about the financial and insurance industry, which is NAICS code 52, if you really want to know.

Kip Boyle: And if you're in that industry, you do want to know that. By the way, just in case anyone doesn't know, NAICS, that stands for North American Industry Classification System, and it turns out that Europe has a different way of classifying industries. Go figure. And this report doesn't use the European system, so if you are in Europe, or you're trying to manage issues in Europe, you're going to have to do your own translation. And why do I know that?

Jake Bernstein: Why do you know that?

Kip Boyle: Because we've got a big customer in Europe, and we got together with them and explored DBIR. And that's when I discovered just how North American-centric this report can really be. But having said that, NAICS 52, financial and insurance, the top patterns in this industry, which is 79% of all breaches, in total, basic web application attacks, system intrusion, and miscellaneous error. And the threat actors are 73% external, and the primary motive, at 95%, which shouldn't be surprising, is financial. And most of these increases are due to ransomware attacks, and the Willy Sutton quote comes to mind. "That's where the money is. That's why we attack financial services." Now, over time, the DBIR notes an increase in the specific server web application attack profile. It was 12% in 2016, and it's 51% this year. And these attacks very commonly use stolen credentials, which remains the number one action variety in this vertical. Where in the world is all your multifactor authentication, people?

Jake Bernstein: Yeah, I agree. Okay. So, an industry that I have been dealing a lot with recently, healthcare, number 62. Okay, so last year, the top issue was really basic human error, with misdelivery being the most common type of error. Not so, this year. Now, it is, yep, you guessed it, basic web application attacks. Errors are still a major problem. Miscellaneous errors are in second place. But with the rise of what I'm going to start calling BWAA, basic web application attack, the old healthcare insider threat story has kind of taken a hit.

So, system intrusion rounds out the top three, representing 70 inaudible ... So, those top three represent 76% of all healthcare industry breaches. I think that you can take a bit of comfort with the relative decline in the privilege misuse pattern, which is now in last place at around 10% of breaches, whereas it was at 25%, as recently as 2017. So, I think that, once again, same thing I said earlier about the insider threat issue is, I don't know, as an absolute number, if the level of insider threat has decreased, but there is no doubt that, as a percentage of all attacks and breaches, insiders have started to slowly fallen off the charts.

Kip Boyle: Yeah. And I don't know if that's net good or net bad. It is different.

Jake Bernstein: It's just different.

Kip Boyle: And yeah. Yeah. So, one of the things that I do want to say here, as an aside, is these spaghetti diagrams, which show you how things change from year to year, one of the big takeaways that you should have from that is, ta-da, cyber's a dynamic risk, which means they're changing their attacks all the time, and here's a great example of that, where the privilege misuse pattern for healthcare has moved, right? It's in last place, instead of being at 25% in 2017, and it just means that the attackers are shifting in their patterns. And I think that's one of the hardest things for us, as defenders, to keep up with, is the fact that it's not just this steady state, handful of attacks that are always dominant, coming at you. That would be easier-

Jake Bernstein: That would be easier.

Kip Boyle: ... to defend against, quite frankly. Okay, let's look at NAICS 51, which is the information industry, and due to largely because of SolarWinds and Kaseya.

Jake Bernstein: Don't you mean polar shins?

Kip Boyle: Yeah, yeah. I didn't know how to make fun of Kaseya, so that was the blocker there.

Jake Bernstein: Yeah, agreed.

Kip Boyle: System intrusion is now the top spot. That might change next year because the data set is going to be different.

Jake Bernstein: It will.

Kip Boyle: And it's followed by basic web application attacks, BWAA, as you so inelegantly put it, and miscellaneous errors, and collectively, we're talking about 81% of all breaches are due to these items. And like most industries, the threat actors break out on a 75/25, external-to-internal split with the internal actors making mistakes more often than maliciously misusing their privileges. Now, fortunately, errors have declined significantly since they were on the upswing back in 2017, and of course, that means something had to give. And sure enough, malware has seen a measurable increase over the past two years, and you can see this and how the system intrusion has jumped over even basic web application attack and is now in the top spot of this industry, 51.

Another interesting thing to note is the sheer number of action varieties at play in this industry, now that system intrusion is the number one pattern. So, while the use of stolen credentials is the most common, after that, you get to see a legion of varieties, ransomware, misconfiguration, backdoor or C2, and export data all appear at more than 4% of breaches, not just incidents. And given the industry, it really is concerning that external actors typically deliver the news that a breach has occurred. This is in the information industry. And even worse is that in 50% of the cases, it is the bad actors themselves who are alerting the victim to their victim status. And in case you were wondering about denial of service, for the incidents, anyway, this is where it really shows up. 90% of the hacking actions observed were denial of service. So, there's your summary on NAICS 51. How about manufacturing, Jay?

Jake Bernstein: All right. So, NAICS 31 through 33, more change here. So, this industry continues to be, I would say, a solid favorite for espionage. The numbers have gone down, but again, that might also just indicate that the spies have gotten better at staying hidden. So, we got to be careful. It's another, just a constant reminder to be careful with how you ... Statistics are very useful, but if you want to see something, you can probably see it, and that might be wrong. So again, I'm going to say that over and over again.

Kip Boyle: Just be careful.

Jake Bernstein: But this year, the sector also is just an excellent target for those motivated simply by money. Again, thanks to the polar shins crowd, the top patterns this year are system intrusion, basic web application attacks, and social engineering, which combined, account for 88% of all breaches. Now, what's interesting about manufacturing is the rise of the denial of service attack over the years.

While it has yo-yoed up and down from a little bit under 20%, to a previous peak of about 40% in 2018, it is now spiked all the way up to 70% of incidents, again, incidents, not breaches, this year. This is a good reminder to watch that OT side of the house because, in manufacturing, availability equals productivity. That was a great little insight that I took from this year's DBIR. In manufacturing, availability equals productivity, and a DOS attack doesn't have to succeed at a breach to cause a painful, painful incident.

Kip Boyle: Yeah. Yeah. And I would go so far as to say that, in manufacturing, availability equals revenue.

Jake Bernstein: Availability equals productivity equals revenue.

Kip Boyle: Yeah.

Jake Bernstein: And through the transitive ... What is it?

Kip Boyle: Transitive trust property.

Jake Bernstein: Property, the transitive property, yes. A equals B equals C, therefore A equals C. Yes, availability does equal revenue. Agreed.

Kip Boyle: I love it when I use math.

Jake Bernstein: Yeah.

Kip Boyle: Okay. All right. Now, let's move on to a crowd favorite, the professional, scientific, and technical services, which is NAICS 54. And yes, by the way, I think it's funny how the people who made the NAICS system just sort of said, "Oh, let's put all those eggheads in a single category, and we'll give it a long, clunky name, just so they can have a little bit of fun there." So, we'll just call it Industry 54.

All right. 3,566 incidents of which 681 were breaches. So, there's a bit less change in this industry with system intrusion remaining the top pattern, then social engineering and basic web application attacks have flipped compared to last year, but they're still up there. And the BWAA numbers are increasing and social attacks are becoming a bit less prominent. I don't know, maybe-

Jake Bernstein: So, just to be clear. So, last year, the order would've been system intrusion, social engineering, and then basic web application attacks, but this year-

Kip Boyle: Look, if you're going to coin an acronym, use it. I just used it. I'm-

Jake Bernstein: BWAA. Yeah, inaudible-

Kip Boyle: Yeah, BWAA. I'm going to call John Grim, who appeared in episode 95, and I'm just going to say, "John, can you start using BWAA because we're using it now."

Jake Bernstein: It is quicker. Basic web application attack is long.

Kip Boyle: We need some support. We need some support from you. Okay, anyway, sorry. What were you trying to say?

Jake Bernstein: I was just trying to say that the change, this year, was that basic web application attacks are now in second place instead of third.

Kip Boyle: BWAA.

Jake Bernstein: BWAA, yes.

Kip Boyle: Okay. And the DBIR for industry 54 also notes that denial of service attacks are still a major incident type and a significant problem for this industry, even though a denial of service attack rarely leads to a breach. But as we learned with manufacturing, it can equal productivity loss and revenue loss. And if you can't have your internet presence up and running, then when people try to find you, to purchase from you, and they don't find you, they will not purchase from you. So, anyway, it's a bad deal, so-

Jake Bernstein: It's a bad deal.

Kip Boyle: ... there is-

Jake Bernstein: Yeah, and there's a lot of information in there. We're already over 30 minutes, this episode, so I think we're going to wrap it up here, shortly. But really can't recommend enough. We probably didn't talk about your specific industry. There are quite a few. Go check it out. It's worthwhile. And yes, good luck on that.

Kip Boyle: Okay, so there's one more thing. There's always one thing with the DBIR. So, there's the addition of something called a very small business cyber crime protection sheet in here.

Jake Bernstein: I saved this for you, Kip, just for you.

Kip Boyle: Thank you. Thank you.

Jake Bernstein: I thought you'd like this.

Kip Boyle: Yes, it's delightful. And this sheet is targeted at organizations with 10 people or less, and my gosh, there are hundreds of thousands, millions of organizations that actually fit into this bucket. These types of small organizations are particularly vulnerable to going completely out of business from one, single attack because the costs to recovery, they just become out of reach quickly in a situation like this. So, if you fall into this category, and I do. I'm a small business owner, and so opt me in. Jake works at a gigantic law firm, so he's not going to be too interested in this sheet. But it's on pages 75 and 76. You should look at that, and whether that's you or whether you have friends or family members who are in very small businesses, you should hand this to them.

Now, I love the DBIR's top four recommendations, they have 13 of them for avoiding becoming a target, because they highlight how important credentials are and preventing illicit access has become. So, get that multifactor authentication turned on. Stop using the same password or passphrase in multiple places. It should be one site per password or passphrase. And sharing passwords can be an issue, can lead to a lot of problems, so think twice about sharing passwords. That's the second. The third thing is I want you to use a password manager, and then the fourth is I want you to change those default credentials on your point of sale devices, if you have those kinds of things, but default credentials anywhere.

Jake Bernstein: Which a lot do.

Kip Boyle: They do.

Jake Bernstein: You really do. I see it all the time. You go to a coffee shop, small, independent coffee shop. Maybe they just recently bought one of those fancy tablet things. I'm blanking the name.

Kip Boyle: Square.

Jake Bernstein: Square or Clover, I think it is.

Kip Boyle: Yeah, there's other ones.

Jake Bernstein: Now, those all have to be set up, and you got to change the default credentials. You just got to.

Kip Boyle: Yeah. And if you just bought the business from somebody, don't just go, "It's all configured, and I don't have to change anything. I just have to keep using it." I had to do a forensics investigation, earlier this year. Somebody had bought a paint store from somebody else, didn't reset the credentials on the point of sale devices, and it turns out that the prior owners had been eavesdropping into these systems and actually learning who their customers were and trying to divert the business to another location. So, it was an awful business experience for the new owner, and they spent a lot of money trying to capture the correct evidence and launch a lawsuit, to get the sellers to stop doing this. It was ugly, and there you go. That's a real story.

Jake Bernstein: Yeah, interesting. Again, as you said, organizations of 10 people or less, extremely vulnerable. Yeah.

Kip Boyle: And extremely prevalent.

Jake Bernstein: Extremely prevalent, and biggest mistake you can make is assuming I'm too small. Nobody cares about me. We say it all the time. That is not how this works.

Kip Boyle: Yeah, it's not. It is completely economical to attack you, despite the fact that business people tend to think that the bigger the fish I go after, the better, and I get that. But that's just not the way cyber criminals operate, so just got to let go of that. Okay. Guess what? That wraps up this episode of the Cyber Risk Management Podcast. So, what did we do today? Part two of our analysis of the 2022 edition of the Verizon Data Breach Investigations Report because we wanted to see what we could learn and share with you. Thank you for being here, and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.