This week saw the release of the annual Verizon Data Breach Investigations Report (DBIR) and as usual the 100 page document is packed with statistics and analysis of data breaches and their causes.

The 17th edition of the report covers cybersecurity incidents and data breaches between November 1st 2022, and October 31st, 2023, with around 30,500 incidents and 10,626 confirmed data breaches across 94 countries analyzed.

Often cited by CISOs and security practitioners as an essential source of data for budget and strategy decisions, we looked at this year’s report and these are ten things we learned from this year’s report.

1 - Roughly one-third of all breaches involved ransomware, or some other extortion technique, while the use of ransomware as a sole attack vector has slightly declined.

2 - To follow that, ‘pure extortion attacks’ have risen over the past year and are now a component of nine percent of all breaches. Extortion is where an attacker seizes data and threatens to release it publicly unless a fee is paid.

3 - The human element was a component of 68% of breaches, roughly the same as the previous period described in the 2023 DBIR.

4 - The median time for users to fall for phishing emails is less than 60 seconds, as emails are typically clicked on within 21 seconds, and 28 seconds later data is entered.

5-  There has been a 180% increase in the use of exploited vulnerabilities as the critical path action to initiate a breach.

6 - The share of VPN vector among exploited vulnerabilities will likely increase for next year’s report. The DBIR authors recommended “having as many of your web applications as possible behind” your VPN, as a better strategy than worrying about emergency overnight patching of the software.

7 - External actors are the top catalyst for breaches, with them responsible for 65% of incidents, while internal actors make up the remaining 35%. However 73% of those internal actor breaches in the miscellaneous errors pattern.

8 - 85% of vulnerabilities were unfixed after 30 days, after 60 days 47% were not remediated, and by the end of a whole year, around eight percent of bugs are still unfixed.

9 -  The percentage of breaches caused by errors is rising, while there is a decline in the exploitation of weak credentials through credential stuffing or brute force attacks.

10 - Generative AI is yet to make a significant mark in the cyber attack landscape. As highlighted by SC US, the vast majority of GenAI discussion on cybercrime forums over the last two years has centered around selling accounts to GenAI services. Mentions of GenAI in combination with attack types like malware and phishing were rare, with little more than 100 mentions on the crime forums studied.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.