homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Work Study
    • Teach for SANS
    • Partnerships
    • Sponsorship Opportunities
    • Join the Community
  • About
    • About SANS
    • Instructors
    • Mission
    • Initiatives
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. The 2019 Verizon DBIR – Key Findings for Security Awareness Officers
370x370_Lance-Spitzner.jpg
Lance Spitzner

The 2019 Verizon DBIR – Key Findings for Security Awareness Officers

It’s here! The 2019 Verizon DBIR has just been released. If you want to better understand the biggest drivers of incidents and breaches and how...

May 9, 2019

It’s here! The 2019 Verizon DBIR has just been released. If you want to better understand the biggest drivers of incidents and breaches and how they impact you and your organization, this is your go-to source. It is one of the world’s most respected and trusted data driven sources on security incidents and breaches today.

The Verizon DBIR enables you to make data driven decisions, not decisions driven by emotion or impulse. The Verizon team is able to execute this by collecting data on real incidents every year from organizations around the world. Their team analyzes and crunches that data to publish this annual report. This year, they’ve aggregated data from over 40,000 incidents and 2,000 breaches. I found this year’s report one of the best, as it was easy to read, it provided key points, and concise visuals and graphs that I could easily follow.

If you are new to the report, I recommend you start with the introduction (pages 01-08), then jump to the section specific to industries, which starts on page 31. From there, you’ll find and can analyze risks unique to your industry.

I think the largest take-away from this year’s report are the touch points on phishing and credentials (i.e. passwords), which continues to be the biggest drivers in bad stuff happening. In addition, the human overall proves to be growing player in incidents and breaches. Security is no longer just about technology; organizations have to address the human risk factor.

Here‘s my overall conclusion of the human risk perspective. I reference specific figures in the report so that you can reference or leverage them for your own research and uses:

  • Human: The human element is the fastest growing driver in breaches today. We see this in Figure 09, as it identifies the top threat actions in data breaches. The only two that have grown in the past 7 years were both human based, Error (up 5%) and Social Engineering attacks (up 18%). This figure can be used to help your leadership better understand the critical need for training people, as awareness is one of the few controls that helps manage both accidental and deliberate threats at the same time.
  • Errors: Accidents continue to be a large and growing risk. I bring this up because I see so many organizations and awareness programs focusing on just deliberate threats, thus underestimating accidental risk. That is why I LOVE this report, it gives us hard data, and hard data says we needto address mistakes. Figure 3 of the report indicates that 21% of all breaches were due to people making simple mistakes, the second largest of the nine incident classification patterns (Figure 36). Sometimes we get so caught up in the whole APT thing we forget that something as simple as auto-complete in email can be a big risk (Figure 24). Think about it: Just teaching people to double check the TO: address in their email draft before hitting the “send” button could reduce almost 10% of all breaches globally.
  • Phishing: Phishing continues to be one of the top two ways cyber criminals are getting into systems, a second behind passwords. In Figure 12, we see phishing as the top threat action for breaches. While this is no surprise to most of us, what the report also proves is that security awareness training works. I’m continually amazed when people say you can’t patch the human, change behavior, or that training simple does not work. Figure 21 indicates the click rate in phishing simulations have dramatically dropped over the past 7 years, from an average click rate of 25% to just 3%. That is amazing. While “artificial intelligence” might be the buzzword in cybersecurity these days, don’t discount real intelligence. (For those of you clamoring that a 3% click rate is still bad, think again: A goal of zero percent click rate actually does far more harm than good.)
  • Passwords: Passwords continue to be the other weak link. Passwords are often compromised when people use bad or easily detectable passwords, or they victim to phishing or malware attacks which end up compromising their passwords. You can see this in Figure 12 in top threat actions, in Figure 13 where stolen credentials are the number one hacking action, or in Figure 36 where web applications is the number one incident categorization. The category “web applications” can be misleading, as you may be thinking bad code that got hacked via Structured Query Language (SQL) injection. The vast majority of incidents in this category are actually credential based. Bad guys compromised someone’s password and got in using their credentials. On page 25, the reports states, “Over one half of breaches in this pattern are associated with unauthorized access of cloud-based email servers.” Long story short, we need to continue to address the password challenge. We need to make strong passwords easy for people. Kill password complexity and password expiration. Instead, emphasize unique passphrases for every account and enable this behavior by providing password managers and training people on them. Even better, have people enable Multi-Factor Authentication (MFA) whenever possible. We have to stop blaming people with credentials and start enabling them.
  • FMSE: CEO Fraud has become such a big driver of incidents that the Verizon DBIR has given it it’s own name: Financially Motivated Social Engineering Attacks (FMSE). Think phishing, but with no malicious links or infected attachments. Instead, the end goal is to trick an individual or organization into transferring money. What is interesting in this year’s report, is the Human Resource / W2 CEO Fraud scams were down 6x. Bad guys have found it’s far easier to simply ask for money than to commit tax fraud with stolen W2 forms. The good news is that if organization’s detect the fraud in time, they can get their money back. On page 29, the report states,

    “When the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money recovered or frozen; and only 9% had nothing recovered.”

    This is a great example of where detection and response is just as valuable as prevention. Continue to develop the human sensor.
  • Attack Paths: The DBIR this year introduced something new: attack paths. This is very exciting, as they attempt to document the steps used in an incident/breach. In other words, they are not taking just static snapshot, but looking at the entire life cycle of an incident. Think: Cyber Kill Chain, but from a Threat Intel perspective. I’m looking forward to seeing this section grow in the coming years.

Overall the Verizon DBIR is a powerful report you should be using. It enables you to make data driven decisions in your security awareness program. Leveraging reports like these can further develop your credibility with leadership. If you have something you found interesting or useful in the report, please share with me! There is so much rich data packed in here, so I’m sure I missed some gems. Finally, shouts out to the Verizon DBIR team and all the good work they do. Be sure to thank them on Twitter at @VZDBIR.

NOTE: For a report like this, terms are key.

  • Event: Something happened.
  • Incident: Something bad happened. The Verizon DBIR terminology is “A security event that compromises the integrity, confidentiality or availability of an information asset. “
  • Breach: A type of incident where the bad guys got your data. The Verizon DBIR terminology is “An incident that results in the confirmed disclosure-not just potential exposure-of data to an unauthorized party.”

(Example, a DDOS attack is an incident, but is not a breach as there is no loss of data.)

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Security Awareness

Related Content

Blog
Security Awareness
April 16, 2021
Strategically Managing Your Human Risk – Leverage the Security Awareness Maturity Model
Establish a strategic roadmap to both plan and communicate the impact of a security awareness program.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Security Awareness
April 6, 2021
The Facebook Breach: What to Share with Your Workforce
Provide your employees with several simple steps to protect themselves, if they are concerned their data was obtained and released.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Security Awareness
March 23, 2021
Insights from the 6th Annual SANS Security Awareness Report: Managing Human Risk
I’m super excited to announce the 2021 SANS Security Awareness Report™ is now available. Inspired by the Verizon DBIR, this report enables organizations to benchmark their security awareness efforts and make data-driven decisions on how to improve and mature their programs. As always, not only...
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn