Dive Brief:
- The exploitation of vulnerabilities almost tripled as an initial access vector in 2023, fueled in part by the MOVEit breach, Verizon said in its Data Breach Investigations Report released Wednesday.
- Ransomware actors increasingly targeted zero-day vulnerabilities in IT systems, Verizon found. About a third of all breaches in 2023 included some type of extortion, and MOVEit involved Clop ransomware exploiting zero-day vulnerabilities in the file-transfer service.
- The report shows 15% of breaches involved a third party, which includes data custodians, software vulnerabilities and direct or indirect supply chain issues, according to the report. This figure represented a 68% increase from the prior year, Verizon said.
Dive Insight:
The findings highlight the need for enterprise security leaders to find and remediate vulnerable software, and also better educate workers about how to improve cybersecurity hygiene.
It takes organizations an average of 55 days to remediate 50% of critical vulnerabilities after patches become available, Verizon found. This is based on an analysis of the Known Exploited Vulnerabilities catalog at the Cybersecurity and Infrastructure Security Agency.
“Certainly, keeping up with the patching is proving a huge challenge to organizations, particularly those with complex environments,” said Suzanne Widup, distinguished engineer of threat intelligence at Verizon Business. ”These patches must be tested to make sure they don't cause other issues — nobody wants to bring down the critical production systems of their organization.”
Researchers analyzed a record 30,458 security incidents from 2023, as well as 10,626 confirmed breaches — more than double the number during the prior year.
The human element continues to be a major factor in security breaches, too. More than two-thirds of these incidents involve either a person making an error or falling victim to social engineering, according to the report.