homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. 2022 Verizon DBIR – What Does it Mean?
370x370_Lance-Spitzner.jpg
Lance Spitzner

2022 Verizon DBIR – What Does it Mean?

Humans remain the number one driver of breaches today, demonstrating that cybersecurity is no longer just a technical challenge but a human one also.

June 9, 2022

The 2022 Verizon Data Breach Incident Report has been released and I could not be more excited. First, what is the report and why should anyone care? For the past 15 years, this report, informally known as the VZ DBIR, has provided insights on the most common drivers of incidents and breaches today. The goal of the report is to enable leaders to make data-driven decisions on their greatest risks and manage them most effectively. Several reasons why this report is so highly respected include:

  1. The report is vendor neutral, there is no security product or service they are trying to hype or sell you.
  2. The report is global, gathering data from thousands of incidents and breaches from around the world.
  3. The report is transparent. The authors do their best to explain their sources of data, issues with that data, and potential problems with their findings.
  4. The report addresses all elements of risk, not only cyber criminals or nation-state threat actors, but human negligence, misuse or simple error.

Enough about the why this report is useful, let’s dig into what this year’s report tells us — especially from a human risk perspective. The big take away (similar to the past three years) is that the human remains the number one driver of breaches today, demonstrating that cybersecurity is no longer just a technical challenge but a human one also. As long as organizations continue to perceive and treat cybersecurity as a technical challenge, we will continue to lose this battle. Okay, let’s take a look at some of the specific findings.

Verizon DBIR 2022, Figure 9

It's the Human - Figure 09: This finding is most likely the one garnering the greatest attention, clearly calling out that once again people are involved in breaches over 80% of the time. "By people" could mean a breach due to someone clicking on a link in a phishing email, someone reusing a weak password that is compromised, or an IT admin misconfiguring their cloud account and accidentally sharing sensitive data with the entire world. Use this number to help your leadership understand and create a sense of urgency that people, and not just technology, need to be addressed.

VZDBIR_Fig5.png

Phishing & Passwords — Figure 5: Similar to the last several years, phishing attacks and compromised credentials (passwords) are the top two methods by which cyber attackers are gaining access to an organization. This data point is key because it shows us which secure behaviors to focus on for improvement. Managing a security awareness or culture program can feel complex and overwhelming. Not sure where to start or what topics to prioritize? Phishing and passwords. Want to know the two most common ways Ransomware gets into an organization? Phishing and passwords.

VZDBIR_Fig18.png

Human Mistakes — Figure 18: While we tend to focus on deliberate threats (cyber criminal or nation state actors) the VZ DBIR also identified almost 20% of breaches are caused by simple mistakes, either staff emailing the wrong person with sensitive data or IT admins misconfiguring their cloud accounts. A key here is make both your technologies and security policies as simple as possible to work with. The simpler you make security the less likely your staff will make mistakes. 

    To be honest none of these findings from a human perspective are shocking, as they are very similar to the same findings that the VZ DBIR has found for the past three years. People are now the primary attack vector, the largest drivers for breaches. Until we start effectively managing human risk, we will continue to lose this battle.

    If you want to learn more about how to manage and measure human risk, consider taking SANS two-day MGT433 Security Awareness course or for more experienced security leaders the SANS five-day MGT521 Security Culture course.

    Share:
    TwitterLinkedInFacebook
    Copy url Url was copied to clipboard
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Recommended Training

    • MGT415: A Practical Introduction to Cyber Security Risk Management
    • MGT521: Leading Cybersecurity Change: Building a Security-Based Culture
    • SEC450: Blue Team Fundamentals: Security Operations and Analysis

    Tags:
    • Security Awareness

    Related Content

    Blog
    Top_10_Summit_Talks_2022.png
    Cybersecurity Insights, Digital Forensics and Incident Response, Cyber Defense, Cloud Security, Open-Source Intelligence (OSINT), Security Management, Legal, and Audit, Security Awareness
    December 5, 2022
    Top 10 SANS Summits Talks of 2022
    This year, SANS hosted 13 Summits with 246 talks. Here were the top-rated talks of the year.
    370x370-person-placeholder.png
    Alison Kim
    read more
    Blog
    Security Awareness
    February 25, 2022
    Russian Invasion of Ukraine - What to Communicate to Your Workforce
    Focusing on cybersecurity fundamentals is key to protecting both yourself and your workforce at home and at work during these unprecedented times.
    370x370_Lance-Spitzner.jpg
    Lance Spitzner
    read more
    Blog
    Security Awareness
    December 15, 2021
    How to Use Phishing Benchmarks Effectively to Assess Your Program
    This initial blog will be a part of a mini-series addressing benchmarks and considerations when utilizing benchmarks to assess your phishing program.
    Cheryl_Conley.jpg
    Cheryl Conley
    read more
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    • © 2023 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn