Passwords Are Still a Problem According to the 2019 Verizon Data Breach Investigations Report

It’s that time of year again! The time of year when all information security professionals eagerly devour the newly-released Verizon Data Breach Investigations Report (DBIR).  Though the report is worth a read in its entirety, a few access and authentication-related findings especially stood out to us this year. The types of attacks and threat actions may evolve from year to year, but one thing has remained the same: Compromised passwords are still a leading contributor to successful attacks. A brief overview of the DBIR Now in its 12th year, the DBIR is often referred to as “required reading” for anyone working in the cybersecurity field. This comprehensive report analyzes security trends, explores how data breaches happen, and shares strategies for companies to improve security.  As the report has grown in reach and significance, more cybersecurity companies have contributed data, giving us new and detailed insights into the threat landscape. The 2019 DBIR received contributions from 73 data sources and analyzed a total of 41,686 security incidents, of which 2,013 (~5%) were confirmed data breaches.  80% of hacking-related breaches still tied to passwords You’ve likely seen the statistic that 81% of data breaches are caused by compromised, weak, and reused passwords. That data point originated from the 2017 DBIR and has been widely cited since.  The 2019 DBIR confirmed that not much has changed, with 80% of hacking-related breaches still involving compromised and weak credentials. 29% of all breaches, regardless of attack type, involved the use of stolen credentials. Even as we see more businesses investing in password management, it’s clear that there are many companies struggling to properly manage passwords and prevent password-related attacks. Password managers mentioned as a critical tool Don’t take our word for it on the importance of password management. The DBIR specifically mentions password managers as a key recommended tool in foiling hacking attempts. The report even uses the analogy of auditing and securing all your doors.  “Static credentials are the keys,” says the DBIR. “Password managers and two-factor authentication are the spool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-9's on most of your entrances if you’ve got one in the back rocking a screen door.” We couldn’t agree more. Every password-protected account is essentially a doorway to your business.  Multifactor authentication minimizes impact of stolen credentials As the above quote exemplifies, the report also repeatedly mentions the importance of multifactor authentication. By adding a second step to the authentication process and requiring additional ‘factors’ to prove a user’s identity, stolen credentials are no longer enough for attackers to gain access.  From the C-suite to the “front lines” employees, everyone in your organization is protecting valuable information, and every account they use should be treated with the appropriate care. Though education and training are important to raising employee awareness, putting effective tools in place – like a password manager and multifactor authentication – ensure that best practices are the default. Email accounts and web servers are hot targets A popular attack this year involved using stolen credentials to compromise email accounts and web servers with the aim to steal money or sensitive data. Cloud-based mail servers were among the top assets affected in data breaches (~40%). Using stolen credentials to compromise an email account, an actor could launch large-scale phishing campaigns or send targeted emails to encourage bogus invoices and money transfers.  Again, the report mentions that, "It is a good idea to deploy multiple factor authentication throughout all systems that support it and discourage password reuse. These actions will definitely help mitigate the impact of stolen credentials across the organization.” A password manager can reduce or eliminate password reuse while multifactor authentication can thwart attacks with stolen credentials. Both solutions are essential to a strong security posture.  Now is the time to invest in stronger access management This year’s report of course explores much more than what we’ve highlighted here. But for those businesses that have yet to invest in an access management strategy that includes password management and multifactor authentication, the 2019 DBIR makes a convincing case that it is an essential tool for reducing and preventing common attacks. Not only will an Enterprise Password Management solution like LastPass improve the overall security of your organization – especially when paired with multifactor authentication – you’ll also see a boost in productivity as employee password frustrations go down and IT can focus on more value-add activities.