5 Takeaways from the Verizon 2024 Data Breach Investigations Report

The 2024 edition of the Verizon Data Breach Investigation Report (DBIR) is out. If you haven’t read one before, we highly recommend you do so this year. The report aggregates data from thousands of data breaches and security incidents reported by organizations worldwide to provide insight on who is responsible for the attacks (“actors”) and the tactics they employ. You can even drill down to events in various industries.

This year’s DBIR studied over 30,000 incidents (including over 10,000 data breaches) in 94 countries. For reference, an “incident” is defined as “a security event that compromises the integrity, confidentiality or availability of an information asset. A breach is “an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.” In other words, breaches result in data loss and are a subset of incidents, which could include distributed denial of service attacks and malware infections.

There is a lot of good information in this year’s report. We looked at it from the standpoint of a midsize organization with a small IT and security team to understand how this could shape security initiatives. The good news? It doesn’t require exotic solutions. Improving basic security hygiene can go a long way.

Here are our top 5 takeaways.

1. It’s Still About Exploiting Human Weaknesses

Once again, non-malicious actions caused the majority of breaches. The “human element” accounted for 68% of breaches in 2023. Breaches caused by non-malicious actions do not mean criminals are not involved. Human elements include falling victim to social engineering attacks, sending sensitive information to an incorrect email recipient, or losing a laptop.

As one would expect, phishing is a big part of this. Phishing was the 2nd leading “ways-in” for attackers to establish a foothold, often by tricking users into revealing their credentials or installing malware. Once this initial step is accomplished, malicious hackers can execute a ransomware attack, steal data, install cryptojacking software, and more.

What You Can Do

Your users are busy and mistakes are inevitable. The best defense here is continuous education and building a security culture. Make sure your organization’s policies and security awareness training are up to date. We feel strongly that phishing simulations – because they work – are fast becoming a “table stake” for an organization’s security program. Consider reinforcing training with frequent reminders in the form of posters and videos.

2. It’s Still About Money

Understanding an attacker’s focus can be helpful in prioritizing defensive measures. The DBIR makes it clear that it’s still about money. Financial gains were the motive for 97% of the breaches among North American organizations. Espionage, the second most common motive, was “mostly concentrated in Public Administration breaches.”

The most common ways malicious hackers monetize attacks are through ransomware and extortion. In a ransomware attack, criminals encrypt all data on your systems and demand payment for the decryption key. In an extortion attack, they may steal your data and threaten to expose it unless you pay their “fee”.

This year’s DBIR also shows an increase in pretexting attacks like Business Email Compromise (BEC). BEC attacks are fraudulent emails impersonating company executives or partners to redirect payments or steal data. BEC accounted for a quarter of financially motivated attacks with a median cost of roughly $50,000.

financial graphic dbir

What You Can Do

To protect against financially motivated attacks IT and security teams should review their existing procedures and implement some basic best practices, including:

  • Make sure endpoints are protected and antimalware solutions are up to date.
  • Run regular vulnerability scans to identify and patch weaknesses that attackers can easily target.
  • Back up your data regularly and keep a copy disconnected from the network to avoid ransomware infection.
  • Reinforce technology appropriate use policies to help users understand how to safely use organizational assets.
  • Include simulated BEC emails in your phishing simulation practice.

3. Protect Your Credentials

It’s no surprise that stolen credentials are the top “way-in” for web application attacks. An employee’s credentials are extremely valuable to criminal hackers. Legitimate credentials allow the criminal with unfettered access to all the resources the user is allowed to reach, including cloud-based email, customer relationship management accounts, data stores, and collaboration tools. A criminal with legitimate credentials can also be exceptionally hard to spot and block.

What You Can Do

First – educate your users on the importance of choosing strong passwords (to limit the chance of a brute force attack) and not reusing passwords across accounts (to prevent credential stuffing).

Next, find out if any of your users’ credentials are exposed and remediate that risk. Defendify’s Compromised Password Scanner searches the dark web for compromised employee passwords and credentials, allowing teams to lock out users or force password resets.

4. Vulnerability Exploitation is Way Up

Criminals want to use tactics that are likely to succeed, like exploiting known vulnerabilities. They also understand that under-resourced IT teams can struggle to keep up with patching vulnerable systems. When combined with a popular application it gets the attention of criminals (rushing to exploit it) and the executive suite (asking “are we vulnerable?”). Remember log4shell in 2022?

2023 showed a 180% increase in vulnerability exploitation as a “way-in” for breaches. Obviously, much of this is due to the vulnerability in Progress Software’s MOVEit file transfer software (one that allowed attackers to steal data from MOVEit transfer servers). However, this was just one of the thousands of vulnerabilities published in the National Vulnerability Database each year.

What You Can Do

Known vulnerabilities – particularly when exploits are publicly available – can be trivial for malicious hackers to abuse. The key is to be aware of them and have the ability to prioritize them properly.

Defendify’s vulnerability scanning solution is designed for exactly this purpose. It automatically discovers and scans assets for vulnerabilities, then uses

AI, machine learning, and contextual prioritization provide expansive and continuous coverage.

5. Supply Chains Can Expect Increased Attention

MOVEit proved again that an organization is only as secure as its weakest link. But, it goes beyond MOVEit. This year’s DBIR found that 15% of the year’s breaches involved a third party, a 68% increase from the previous year.

Supply chain security is a growing concern in organizations of any size. Procurement and risk management teams are increasingly responding to this by evaluating and auditing their vendors’ security practices.

What You Can Do

A vendor security assessment is often a questionnaire that covers the minimum required security controls the organization requires of its vendors and partners. Many look for vendors and partners that self-assess annually and adhere to international standards and best practice frameworks like ISO 27001, Center for Internet Security (CIS) Critical Security Controls, or the NIST Cybersecurity Framework.

You can perform a cybersecurity risk assessment on your own or hire an outside company to conduct one for you. Our Cybersecurity Assessments is a single questionnaire that maps to several standards, including GDPR, NIS, and CIS. Better yet, it’s available for free through our Cybersecurity Essentials Package.

Bonus Fact: Don’t worry About AI (yet)

There is an amusing sidebar in the report on AI. The gist of it is that a lot of criminals talk about AI (as we all do), but that they simply don’t need it. They have plenty of success writing phishing and pretexting attacks or malware without the need for AI. Vulnerabilities in commercial and open source components provide them with ample attack vectors. Adding AI to the mix doesn’t seem to make those more effective.

Next Steps

AI is a rapidly changing field. For the time being, however, focus on the basics. Train your users to be diligent, scan for vulnerabilities and patch them, search for compromised credentials, and prepare for customer security audits.

No matter how the threat landscape evolves, we are here to help. We designed our platform to meet the needs of modern IT teams. It makes securing networks and applications simpler, without adding organizational overhead. With the right technology and dedicated human assistance, Defendify is enabling organizations to implement layered cybersecurity effectively.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.