homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Tackling Modern Human Risks in Cybersecurity: Insights from the Verizon DBIR 2024
370x370_Lance-Spitzner.jpg
Lance Spitzner

Tackling Modern Human Risks in Cybersecurity: Insights from the Verizon DBIR 2024

The Verizon Data Breach Incident Report (VZ DBIR) is one of the security industries most respected annual reports on risk.

May 16, 2024

The Verizon Data Breach Incident Report (VZ DBIR) is one of the security industry's most respected annual reports on risk. For more than 15 years now the Verizon team has been publishing its data-driven report on the top risks that organizations face around the world. What makes this report so valuable is that the report is vendor neutral, is based on a global data set, and analyzes a broad range of risks, including not only deliberate cyber threat actors but other risks such as physical, malicious insiders, and simple human error (which is a much bigger deal than people realize).

The report is especially useful in that it is highly actionable, breaking down and categorizing risks by threat actors and their actions, which is why I recommend everyone make the report as part of their regular reading. With that said, let’s dive in and see what the 2024 report has to offer us. As always, I will be looking at this report from the human risk perspective.

Summary of Key Findings

This year’s report is based on 30,458 real-world security incidents, of which 10,626 were confirmed data breaches (a record high for breaches). VZ DBIR defines a breach as a type of incident where data has been compromised, which are often the most damaging type of breaches, as media, lawyers, and regulators get involved. Here are a couple of my key take-aways from the Executive Summary.

  1. Human Element: Just as in years past, people represent the greatest risk to an organization, with humans involved in 68% of all breaches. You may notice that this is a slight drop from last year, however there is a good reason for this. The VZ DBIR team no longer includes malicious insiders (what they call Privileged Misuse) in the statistic. There are good reasons for this, seeing as how you handle malicious insiders is vastly different than how you secure employees who are targeted (phishing attacks) or employees who simply made a mistake.
  2. Human Error: People making mistakes has increased in driving breaches, now 28%. Human Errors are mistakes such as people emailing the wrong person with sensitive data due to auto-complete in email or IT Admins accidentally sharing sensitive data in the cloud. The large increase may be in part because technology continues to get more and more complicated and people are working faster than ever, creating the perfect environment for mistakes to happen.  To approach this, our job is to make technology, process and security as simple as possible.  The simpler a behavior is, not only the more likely people will exhibit that behavior, but more likely they will do it correctly. 

VZDBIR-Figure3.png

Top Attack Drivers

In Figure 1 below, we see the top three ways cyber threat actors are getting into organizations: credentials, phishing, and vulnerability exploiting.  These are the same top findings from the past three years. I was intrigued to see that phishing seemed to be much lower percentage-wise compared to credential/account takeover. The VZ DBIR team explained that a huge percentage of credential stealing happens with phishing, but the VZ DBIR team often cannot prove how cyber threat actors got the credentials in the first place.  Long story short, just as in the past three years, if you are focusing on human security, continue to focus on:

  • Strong Authentication: long, unique passwords and MFA
  • Phishing: I would throw vishing/ smishing in there also
  • Patched Systems: enable automatic updating for individuals

VZDBIR-Figure1.png

Business Email Compromise (BEC)

Phishing continues to be one of the biggest categories of phishing attacks, but what I found interesting in this year’s data set is that over 40% of successful social engineering attacks were Business Email Compromise (BEC)/CEO Fraud imposter attacks, or what VZ DBIR calls "pretexting" (see Figure 34 in the report). These are email attacks that have no malicious link or infected email attachment. Instead, these attacks are most often financially motivated, tricking people into approving invoices, payments or change of bank account information. The goal is purely to steal money. The reason I emphasize this is we often hear of ransomware in the news, as organizations have to go public when a ransomware incident happens. However, we almost never hear about BEC/CEO Fraud incidents in the news, as organizations do not have to, nor almost never do, go public. You have to go public when your data is breached; you do not have to go public when your money is stolen.

BEC/CEO Fraud emails are often the most difficult for automated security tools or people to detect, as these emails are often highly customized and have far fewer indicators in the email. In addition, Artificial Intelligence has the ability to make creating these customized attacks easier, and in almost any language the cyber attacker wants.  This is why it's so critical that employees strictly adhere to and follow all policies related to the approving, invoicing, transferring of money, or modifying related financial accounts.

Lost/Stolen Devices

One data point I always find interesting is the tracking of lost and stolen devices. While we often don’t think of this as a risk, when we lose control of a mobile device, the data on that device is at risk.  This is why controls such as screen-locks, encryption, and remote tracking/wiping are so important. You are far more likely to lose a mobile device or have one stolen than you are to have it be hacked (it’s actually quite difficult to hack an actively patched and maintained mobile device). In Figure 54 of the report, we see a fascinating statistic: You are far more likely to lose a device than have one stolen. So, when it comes to physical security, it is not the thief we should be concerned about, but the absent-minded, overwhelmed employee who is traveling.

Want to Learn More? - Artificial Intelligence

These are by no means the only findings in the report; these are just the ones I found most interesting.

Still have questions or want other details, but don’t have time to read the full report? Want to learn all the key take-aways from the report specific to your role, industry, or challenges you face? Ask AI to help summarize key elements of the report for you. See example below.

VZDBIR-ChatGPT.png

To learn more about building a mature security awareness program, consider the SANS LDR433 Managing Human Risk course. This intense, three-day class provides you the strategic roadmap to not only managing human risk but also to effectively measure it. In addition, the class provides seven interactive team labs where you apply everything you learn with your peers. Finally, you have the opportunity to earn the SSAP (SANS Security Awareness Professional), the industry’s most recognized credential demonstrating expertise in managing human risk.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC497: Practical Open-Source Intelligence (OSINT)™
  • SEC504™: Hacker Tools, Techniques, and Incident Handling™
  • FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques™

Tags:
  • Security Awareness

Related Content

Blog
SSA_-_Blog_-_Leveraging_AI_to_Manage_Human_Risk_–_(Part_6)_340_x_340.jpg
Security Awareness, Artificial Intelligence (AI)
December 7, 2023
Leveraging Artificial Intelligence (AI) to Manage Human Risk: Part 6 – Analyzing Documents, Charts, and Spreadsheets
AI can not only create resources, but also analyze many forms of data
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
SSA_-_Blog_-_Leveraging_AI_to_Manage_Human_Risk_–_(Part_5)_340_x_340.jpg
Artificial Intelligence (AI), Security Awareness
November 9, 2023
Leveraging Artificial Intelligence (AI) to Manage Human Risk: Part 5 – Generating Images
Learn how Generative AI can be used to quickly and cost effectively create customized images for your organization.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
SSA_-_Blog_-_Leveraging_AI_to_Manage_Human_Risk_–_(Part_4)_340_x_340.jpg
Artificial Intelligence (AI), Security Awareness
November 2, 2023
Leveraging Artificial Intelligence (AI) to Manage Human Risk: Part 4 – Advanced Prompt Engineering
Generative AI is only as powerful as the prompt it is given.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn