The attacks in this sector are perpetrated by external actors who are financially motivated to get easily monetized data (63%), internal financially motivated actors (18%) and internal actors committing errors (9%). Web Application attacks that leverage the Use of stolen credentials also continue to affect this industry. Internal-actor-caused breaches have shifted from malicious actions to benign errors, although both are still damaging.
1,509 incidents, 448 with confirmed data disclosure
Web Applications, Miscellaneous Errors and Everything Else represent 81% of breaches.
External (64%), Internal (35%), Partner (2%), Multiple (1%) (breaches)
Financial (91%), Espionage (3%), Grudge (3%) (breaches)
Personal (77%), Other (35%), Credentials (35%), Bank (32%) (breaches)
Implement a Security Awareness and Training Program (CSC 17), Boundary Defense (CSC 12), Secure Configurations (CSC 5, CSC 11)
Why is everybody always picking on me?
The Financial and Insurance sector has always had a target on its back due to the kinds of data it collects from its customers. The data shows that the sector remains a favorite playground for the financially motivated organized criminal element again this year. Web Applications attacks are in competition with the Miscellaneous Errors pattern for the top cause of most breaches, as shown in Figure 66. It is a bit disturbing when you realize that your employees' mistakes account for roughly the same number of breaches as external parties who are actively attacking you. Apparently, it really is hard to get good help these days, and you can take that to the bank.
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Educational Services
- Financial and Insurance
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
The Misuse action was among the top three causes of breaches for this vertical in last year’s report, but it dropped from 21.7% in the 2019 report to only 8% this year. While this pattern saw a decline in our overall dataset, we are not of the opinion that all employees have suddenly become virtuous with regard to abusing their access. It is more likely that this is simply reflective of a change in contributor visibility rather than a sign of extreme moral rectitude in the workforce.
We switch our focus from malicious actions to those that were unintentional in Figure 67. The most common Error was Misdelivery, which is pretty much exactly what it sounds like: sending information to the wrong person. This can be with electronic data, such as an email sent to the incorrect recipient by an autofill in the “To:” field. Or it can be paper documents, such as a mass mailing that is incorrectly addressed. Both can result in a large breach, depending on what file(s) were attached to the email, or how large the mass mailing was.
The second most common Error is one that has been experiencing a surge in popularity—the Misconfiguration. This occurs when someone (often a system administrator) fails to secure a cloud storage bucket or misconfigures firewall settings. In the case of both Misdelivery and Misconfiguration, the motivation was overwhelmingly carelessness. Good security practices? Ain’t nobody got time for that.
As stated in past versions of this report, we utilize filters in our data analysis for a variety of things including focusing on a given industry, threat actor type, etc. We also use them to exclude certain subsets of data in order to reduce skew and to help us find trends that might otherwise be missed. However, we do not ignore this data; we analyze them separately in other sections of this report. You can read more about it in our Incident Classification Patterns and subsets. Specifically, for Finance, there were tens of thousands of incidents on the Botnet subnet analyzed separately
The wallflowers of the breach world
Like the shy creatures that line the walls of the middle school dance, those attacks that are shy in providing sufficient detail end up in the Everything Else pattern. Here languish the average, yet successful phishing attacks, and the increasingly common business email compromise in its various forms. Among its many incarnations is the phishing email masquerading as coming from someone in the executive level of the company asking for something of monetary value.
Keep on playing those mind games together
We also see invented scenarios (Pretexting) manufactured in order to plausibly convince the target to transfer money to the attacker’s bank account. Figures 68 and 69 illustrate the popularity of these common social attacks. One key takeaway is that the weakest link in many organizations is their staff. Is it likely that the average user (who was targeted based on their access to data) will challenge a request that appears to be coming from someone who has the authority to fire them? Our data indicates that signs point to no.
The majority of attacks in this sector are perpetrated by external actors who are financially motivated to access easily monetized data stored by the victim organizations. While there remains a small amount of Cyber-Espionage by nation-state actors in this industry, most attacks are perpetrated by someone who is all about the shekels.