- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
North American organizations suffered greatly from financially motivated attacks against their web application infrastructure this year. Hacking via the use of stolen credentials was most commonly seen, with social engineering attacks that encourage the sharing of those credentials following suit. Employee error was also routinely observed in our dataset.
18,648 incidents, 920 with confirmed data disclosure
Everything Else, Web Applications and Miscellaneous Errors represent 72% of all data breaches in Northern America.
External (66%), Internal (31%) Partner (5%), Multiple (1%) (breaches)
Financial (91%), Espionage (5%), Grudge (3%) (breaches)
Personal (43%), Credentials (43%), Other (35%), Internal (21%) (breaches)
The region designated as Northern America consists of the United States and Canada, as well as some outlying islands such as Bermuda.
There are a couple of factors that need to be kept in mind when looking at the findings below. First of all, this region accounts for 69% of all incidents and 55% of all breaches in our dataset this year. That does not mean that good security practice has disappeared into the Bermuda Triangle, though. Northern America has arguably some of the most robust data reporting standards46 in existence, particularly in Healthcare and Public administration. Therefore, the number of incidents and breaches are likely to be higher than in areas with less stringent disclosure requirements. Also, it must be admitted that while this report is becomingly increasingly global in scope, many of our contributors are located in and are primarily concerned with Northern American organizations. As a result of these factors, outcomes for the North American region are not too dissimilar from the findings for the overall dataset. Nevertheless, there are a few interesting differences and highlights worthy of discussion.
Phish and whistle, whistle and phish47
Everything Else is the top pattern for this region (Figure 117). That is due in large part to the number of financially motivated phishing attacks that we see across so many industries (Figure 118). In the past, we have observed that security awareness training can help limit the frequency and/or impact of phishing attacks. However, in some instances this training appears to be either not carried out at all, or delivered in an insufficient or inadequate manner. Whatever the reason, telling employees not to click phishing emails can be as effective as yelling “ear muffs” when you don’t want your child to hear something unpleasant.
Get your head out of your…cloud
Web app attacks also loom large in Northern America. The majority of these attacks are carried out via the use of stolen credentials (Figure 119), which are then used to hack into web-based email and other web applications utilized by the enterprise (Figure 120). We have mentioned in past reports that, with the growing trend of businesses moving toward cloud-based solutions, we could expect the use of stolen credentials to increase proportionally. This does seem to be the case.
See - this is why we can’t have anything nice
You don’t need external actors to harm your organization as long as your employees are willing to do their work for them. The number of internal actors is somewhat high (30%) this year for this region and for the dataset as a whole (Figure 121). This is explained by the prevalence of Error and Privilege Misuse actions. Both are caused by internal actors and both can be very damaging to an organization, but while error is unintentional, misuse can be (and often is) malicious in nature.
Let’s take a quick look at the Error actions. As you can see in Figure 122, the vast majority of all error-related breaches are caused by Misdelivery (sending data to the incorrect recipient) and Misconfiguration (i.e, forgetting to secure to a storage bucket). For whatever reason, these Error types seem to be the peanut-butter-and-jelly sandwich of the breach world this year. Perhaps Internal actors are simply too busy trying to perfect their Renegade dance on TikTok these days; we do not know for sure. Whatever the reason, these errors are found in every industry and region, and in alarmingly large percentages. As mentioned elsewhere in this report, the vector for these errors is almost entirely carelessness on the part of the employee.
Turning our attention to Misuse, we see a proliferation of Privilege abuse (56%). This is using legitimate access for an illegitimate purpose. Somewhat farther down the ladder, we see approximately equal percentages of Data mishandling and Possession abuse (Figure 123). No matter how you view it, this region would benefit from increased controls for Internal actors.
46 This is largely due to the robust data breach notification laws passed over the years, such as California S.B. 1386 passed in 2002, which served as a blueprint for other states in the U.S. and has now been augmented by the California Consumer Privacy Act (CCPA) in the Golden State.
47 We hope you will allow us a paraphrase of the words of the great John Prine. He will be sorely missed.