The latest Verizon DBIR report is out and we all should realize, normal is not the new workplace.

Picture this:

You’re logging into the work account after a long weekend of gratitude, remembrance and maybe even getting to hug someone safely.

*Please reset password.*

*Cannot use a previous password.*

*Must be 8-20 characters with one special character and a sprinkling of Latin.*

*Must be written in Haiku form.*

*Your account has been locked. Please try again in 2023.*

*Oops, someone else logged into your account. It’s probably fine, right?*

Okay, we’re exaggerating a little but variations of this scene are playing out all over the country this week. You’re frustrated and you haven’t even gotten started on the work that piled up over the weekend.

And cybersecurity woes are doing more damage than just making you want to throw your laptop out the nearest window.

The latest Verizon DBIR report is out, and – as anyone in cybersecurity guessed – it’s not good news. The report shows that once again, phishing, ransomware and credential theft are on the rise. It makes a clear case for doing a better job protecting users as well as the devices used to access networks.

Here are some highlights (or should we say lowlights):

  • Report analyzes 29,207 quality incidents, 5,258 of which were confirmed breaches.
  • Phishing attacks increased by 11%, while attacks using ransomware rose by 6%.
  • 85% of breaches involved a human element.
  • 61% of breaches involved credentials.
  • Ransomware appeared in 10% of breaches, double the previous year.
  • Compromised external cloud assets were more common than on-premises assets in incidents and breaches.
  • Breach simulations found the median financial impact of a breach is $21,659, with 95% of incidents falling between $826 and $653,587.

That’s…not ideal. The fact that credentials were so commonly used is terrifying, to say the very least.

Here’s a closer look at the findings:

summary of findings

additional findings

Why are things getting worse, not better? For one thing, companies are undergoing digital transformations and shifts to the cloud that make those companies more agile and better suited to the Everywhere Workplace – but also vulnerable, without the right security measures in play.

“As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures” —Tami Erwin, Executive Vice President and CEO, Verizon Business

Phishing and Ransomware once again top the list

The DBIR states that phishing, ransomware and web app attacks dominated data breaches in 2020. This is part of an overall trend that we’ve seen since the pandemic hit. ZNet reports, “Email scams related to Covid-19 surged 667% in March (2020) alone.”

Insights from the report reveal that among 1,148 people who received real and simulated phishes, none of them clicked the simulated phish but 2.5% clicked the real phishing email, reinforcing the need for better phishing simulations and security education training.

percent of people likely to click phishing simulation templates

It’s not just businesses…

The federal government had a tough year when it came to data breaches and ransomware attacks. According to the Federal News Network, in the first quarter of 2020, government agencies saw a 278% year-over-year increase in compromised information, totaling more than 17 million records while institutions were hit with an unprecedented number of ransomware attacks that cost the US government of up to $1.4 billion.

Ransomware attacks are continuing and it is not a minute too soon that that the White House released an Executive order that said it is time to adopt security best practices. Specifically: “Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”

Read more: Ivanti Federal CTO's Take on the Cybersecurity Executive Order

So what can we do?

According to the DBIR, a “significant percentage of victims targeted” were organizations “that neglected to implement multi-factor authentication, along with virtual private networks.” And “the zero trust model for access quickly became a fundamental security requirement rather than a future ideal.”

Translation: the old security methods don’t work in this new landscape. And they’re getting less secure by the day as threats get more sophisticated.

The future is passwordless, and the companies that take the longest to embrace that shift are the ones who will be most vulnerable.

Eliminating passwords through zero sign-on goes a long way toward shoring up security in this new, much more decentralized Everywhere Workplace. Eliminating passwords is also one of the clearest, simplest ways to prevent laptop-through-window incidents.

We’d all like to see a better DBIR report next year – perhaps one marked by a dramatic downtrend in breaches combined with a surge in companies embracing the new business landscape with simpler, more secure access. That’s what we’re working on every day at Ivanti.