The 2024 Verizon Data Breach Investigations Report (DBIR) lays the threat landscape bare, pointing to a huge increase in vulnerability exploitations – up 180% versus the prior year.

Some 14% of all breaches involved the exploitation of vulnerabilities, with Verizon assigning responsibility for this to the targeting of unpatched systems and zero day vulnerabilities. Verizon noted threat actors used MOVEit and other zero day exploits to launch their ransom demands. 

Credential theft is a significant factor in breaches, resulting in 38% of all incidents.   Phishing is another route into the enterprise, being associated with 15% of all breaches. The most frequently used entry point for phishing is Web applications, followed by email. 

The report, which analyses 20,358 security incidents and 10,626 confirmed breaches offered by third-party contributors including the US Secret Service and dozens of other organizations and companies; publicly-known data breaches; and security events mitigated by its own Verizon Threat Research Advisory Center (VTRAC), emphasised the critical role the human element plays in introducing risk into the equation. 

Verizon: human element involved in nearly 70% of breaches

Nearly 70% of all breaches involve a staff member, contractor, or partner who, with no ill intent, contributed to an incident. To this end, the DBIR noted that just under one-third of all security incidents incorporate an extortion technique.

At least 24% of all profit-driven breaches over the last two years applied pretexting, the use of fictional narratives to win the targets’ trust to get them to offer up sensitive information, transfer money, or in some other way hurt the victim or their organization.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Preying on a target’s trust is not a new technique. Over the last ten years, credential theft is associated with 31% of all incidents, and techniques like pretexting are a prime way to capture these keys to unlock other data. The issue is that the frequency and severity of incidents involving the human element are escalating. 

While most enterprises of any significant size conduct end user awareness training, this exercise tends to be an annual activity rather than an ongoing program.

It seems a more effective path forward would be to create engaging and accurate cybersecurity educational content. This should be delivered throughout the year, not just as a one-off check-the-box training-to-the-test.