The Verizon Data Breach Investigations Report (DBIR) has been published annually for the past 17 years. It provides an in-depth analysis of cybersecurity incidents and data breaches from the previous year and is regarded as one of the most comprehensive and authoritative sources of data on cybersecurity threats and trends.
However, when I say “comprehensive,” I’m talking about 100 pages of data. It’s an incredible resource for cybersecurity professionals like me, but most small to midsize business owners don’t have the time to sift through it for key takeaways. Here’s my condensed version…
5 Key Takeaways From the Verizon 2024 DBIR
The 2024 Data Breach Investigations Report (DBIR) analyzed 30,458 real-world security incidents, of which 10,626 were confirmed data breaches.
The report includes:
- Data from various sources, including Verizon itself
- A detailed analysis of data breach incidents from the previous year
- Emerging trends and patterns to help organizations adjust their security strategies
- Industry-specific insights
- New recommendations
1. Unpatched Vulnerabilities Provide Critical Entry Points
In 2023, attacks that exploited vulnerabilities to initiate a data breach almost tripled. These attacks were primarily carried out by threat actors involved in ransomware and other extortion-related activities. It's no surprise that the main entry point for these attacks was web applications.
The report also revealed a substantial rise in attacks that took advantage of software vulnerabilities to gain initial access and initiate data breaches. This type of attack saw a nearly threefold increase, likely due to widely publicized vulnerabilities like MOVEit.
Pro tip: Keep software up-to-date, remove or disable unnecessary apps, and if you haven’t already, start using web application firewalls (WAFs) to monitor and filter incoming web traffic
2. Hackers Are in It for the Money
If you’ve been reading other recent cybersecurity blogs, this also shouldn’t be a big surprise: Attacks are typically financially motivated. Almost a third of all data breaches in the past year involved ransomware or other extortion techniques. And here’s why — the median loss associated with ransomware and extortion breaches was $46,000, but the actual range is from $3 to 1.1 million for 95% of cases.
Far too many owners of small to midsize businesses regard cybercriminals as if they were unstoppable geniuses, and give up the fight, believing there is nothing they can do to adequately protect themselves. In reality, the majority of attackers are just looking to make a quick profit, and they tend to use the easiest routes available to do that. Sometimes you don’t have to outrun the bear, as they say, you just have to outrun the person next to you. Not having foundational cybersecurity controls in place when others do, makes businesses of all sizes a prime target.
Pro tip: Attacks aren’t personal, and hackers don’t care what your organization’s mission is. They’re just out to make a quick profit, so if you make that hard, there is a much greater chance that they will move to another target. Cybersecurity best practices — including requiring the use of multifactor authentication and updating systems — are enough to stop the vast majority of attacks.
3. “Small” Errors Are Causing Big Problems
According to the report, the human element was found to be involved in 68% of breaches. Human errors have always contributed to cyberattacks, but the percentage is higher than most organizations would probably assume.
Here are a few examples of the types of errors that keep cybersecurity professionals up at night:
- Reusing passwords
- Falling for phishing scams
- Clicking on malicious links
- Using overly permissive settings
- Misdelivery (sending information to the wrong recipient)
Phishing is a winning recipe for cybercriminals because odds are, if they email just three people in an organization, one of those people will readily give out sensitive information. Verizon’s recent data found that in 2023, only 20% of users successfully reported phishing in simulated engagements. The median time it took users to click a malicious link was only 21 seconds, and it only took another 28 seconds for them to enter their data.
Pro tip: Lots of people believe they’re too smart to fall for phishing scams. But we all have distracted moments, and overconfidence gets people into trouble. Ongoing security awareness training is highly effective at preventing ransomware and other serious attacks.
4. Get Serious About Vendor Due Diligence
Everyone with access to your systems, location, or data is a potential security risk. If you work closely with other businesses, but you haven’t asked them in-depth questions about their security, and they haven’t asked you about yours, it’s time to start, as the report found that last year, 15% of breaches (a significant increase from the previous year) could have been prevented with proper vendor due diligence.
Pro tip: Executive leadership should be working with their IT teams to develop selection criteria standards for the vendors they will work with and build these requirements into company policy. Vendors who do not meet these standards shouldn’t be considered. For a list of sample vendor security questions and additional resources, read this blog!
5. Educate Your Staff About Pretexting
Pretexting is a form of social engineering frequently used in business email compromise (BEC) attacks where a cybercriminal impersonates a trusted colleague to try to lure an employee into doing something that will harm their organization, like initiating a wire transfer or supplying sensitive data.
According to the report, pretexting was involved in approximately one-fourth of all financially motivated attacks, with a median transaction amount of roughly $50,000.
Pro tip: BEC attacks aren’t all the same, but if your employees know what to look for and are encouraged to question any unusual requests, these threats can largely be neutralized. Provide employees with examples of pretexting tactics, and implement verification procedures for financial transactions and other sensitive requests.
Top Threats By Industry
The report also outlines how last year’s threats played out in various industries. Here are the highlights:
- Hospitality and food service saw a surge in social engineering attacks, which now account for a quarter of all security incidents in the industry. Pretexting also doubled compared to last year and is now responsible for 20% of reported incidents.
- Schools last year were most often hit with extortion threats, fueled by social engineering tactics and human error.
- Finance and insurance saw more complex attacks.
- Healthcare unfortunately saw more insider mischief last year, and personal data is becoming a preferred target over medical data.
- The information industry had fewer incidents last year, but going forward, these organizations may need to monitor attacks motivated by espionage rather than financial gain.
- Manufacturing didn’t do so well, with an increase in breaches. Malware and the use of stolen credentials are commonplace here.
- Science and technical services may need to focus more of their security awareness training on social engineering tactics, which accounted for 40% of breaches.
- Public administration organizations are often their own worst enemies, with human errors — including misdelivery — causing the majority of breaches
- Retail attacks have shifted away from stealing payment information in favor of stealing credentials.
So…Where Are Your Risks Hiding?
Verizon’s Data Breach Investigations Report is an incredible resource, but it can only provide the broad strokes. Every organization is different, and depending on its tools and how its staff uses them, it will also have different areas of risk.
So here’s the biggest takeaway I have from Verizon’s 2024 DBIR — if you haven’t had a professional assess your cybersecurity risk in the past few years, you’re due for a checkup, at the very least. Click the link below to learn more about what we offer!