2024-05-02
Verizon’s Data Breach Investigations Report 2024
Verizon’s 17th annual Data Breach Investigations Report reveals that vulnerability exploits as initial access points in breaches was up 180% in 2023 over 2022. In addition, human error still plays a part in most breaches; ransomware and other extortion attacks account for about one-third of all breaches; and pure extortion attacks are on the rise.
Editor's Note
It is not "human error". It is technology that is not protecting humans and abstracting security leading to a failure to communicate risk to users.
Johannes Ullrich
The term “human error” is actually incorrect. What VZ DBIR pointed out is the human element is involved in over 65% of all breaches (not including malicious insiders). That number is people, primarily victims of cyberattacks (social engineering) or people making mistakes (that is human error). What really popped this year is people making mistakes represents 28% of all breaches globally; that is a big number. One of the biggest problems we have is that security is really hard for most people, the behaviors we are demanding of them are often confusing, difficult, and overwhelming. Security is no longer just a technology challenge but also a human challenge, and the first step to addressing the human side is making security as simple as possible for people (which is not easy).
Lance Spitzner
Well done Verizon, another excellent report. For me, a few key takeaways: 1) the human is still the weak link to building an effective cybersecurity program – exploitation of authentication credentials; 2) Ransomware had a very good year in 2023 – increase in both attacks and payouts; and 3) software supply chain attacks also had a good year and has become a major concern for security professionals.
Curtis Dukes
One of the discoveries is it’s taking an average of 55 days to resolve 50% of vulnerabilities. While we’re likely nailing desktop and commodity system patching, those boundary devices, including VPN and remote access services need to be doubled down on. Make sure that you’re not just relying on your WAF to protect applications, code flaws need to be fixed as well.