Report: Cloud Security Breaches Surpass On-Prem Ones for the First Time

Verizon’s annual report on data breaches finds that more cybersecurity incidents involved external cloud assets than internal ones.

Maria Korolov

May 20, 2021

3 Min Read
Data center racks

Most cybersecurity incidents now involve cloud infrastructure, according to the latest Verizon Data Breach Investigations Report (DBIR).

The annual report is the most researched of its kind. This year’s report is based on more than 79,000 cybersecurity incidents and over 5,200 breaches. Last year’s report analyzed around 4,000 breaches, and 2019's report included 2,000.

The big news this year was that 73 percent of the cybersecurity incidents involved external cloud assets, with the rest involving on-premises IT assets. Last year, cloud assets were only involved in 27 percent of breaches.

This is the first time that cloud incidents surpassed on-premises ones, said Gabriel Bassett, a Verizon researcher and architect and the 2021 DBIR’s lead scientist. But this does not necessarily mean that cloud services are less secure than on-premises infrastructure, he told DCK.

The increased share of cloud incidents could be due to several factors, including more infrastructure moving to the cloud, attackers going after cloud-based credentials, and the mix of organizations that contributed to this year's report.

"Nothing in our data says that on-prem is more secure," Bassett said.

For cloud incidents, the most common factors were stolen credentials, misconfigurations, and phishing.

For on-prem incidents, the top three types were ransomware, stolen credentials, and backdoor malware.

Overall, credentials were involved in 61 percent of breaches.

Cloud Incidents Target Individuals

In cybersecurity, people are often the weakest link. As employees have migrated to cloud applications, such as Office 365 and other SaaS platforms, attackers have followed them.

The SolarWinds breach, for example, involved compromised Office 365 accounts.

Phishing attacks, which directly target individuals, were up 11 percent compared to last year's report – from being present in 25 percent of attacks last year to 36 percent this year.

Breaches that involved human elements accounted for 85 percent of the total.

"Things like phishing attacks and business element compromise – the human element attacks – continue to be very well suited to the type of services available as organizations move to the cloud," said Bassett.

On-Prem Attacks

The biggest type of on-prem incident, ransomware, was up 6 percent compared to last year.

Ransomware was targeted more at on-prem infrastructure, as was malware that set up backdoors for attackers or connected to command-and-control infrastructure.

In the cloud, ransomware was involved in only 5 percent of incidents, roughly the same as last year.

On premises, however, ransomware jumped from 8 percent of incidents to 33 percent.

But as the amount of on-prem assets shrinks, the fact that ransomware continues to grow is indicative of the increased effectiveness of those attacks.

Attackers are also using new tactics, such as stealing data as they encrypt it.

Patching Remains Lackluster

One area of progress is in vulnerabilities. According to the Verizon researchers, exploitation of vulnerabilities hit its peak in 2017, when they were used in 5 percent of breaches.

This year, vulnerabilities were involved in only 3 percent of breaches.

This may be partly because vulnerabilities are less important in cloud-based attacks, not necessarily in on-prem environments seeing progress in patch management.

According to the report, only 40 percent of organizations patched a vulnerability 75 days after they discovered it, down from 44 percent in last year's report.

About one fifth of vulnerabilities in internet-facing systems dated as far back as 2010.

"For assets that had a vulnerability, it was normally a ten-year vulnerability, not a ten-month vulnerability," Bassett said. "If you have a vulnerability, you’re doing a bad job patching your assets — it's not that you’re patching slowly, it’s that you’re patching never."

About the Author(s)

Maria Korolov

Maria Korolov is an award-winning technology journalist who covers cybersecurity, AI, and extended reality. She also writes science fiction.

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like