Verizon Business released its 17th-annual Data Breach Investigations Report (DBIR), highlighting the role that the human element plays in cyber threats. This report examined 30,458 security incidents as well as 10,626 verified breaches in 2023, representing a two-fold increase from 2022. Out of the breaches analyzed, more than two-thirds (68%) included a non-malicious human element — in other words, these incidents involved insider errors or people falling for social engineering schemes.

This percentage remains consistent with last year’s, suggesting that the human element remains a steady risk concern. However, reporting practices improved, as 20% of individuals recognized and reported phishing in simulated exercises, and 11% of individuals who clicked a malicious email reported it. 

Another notable finding from the report was the increase in vulnerability exploitation. Exploiting vulnerabilities as an initial entry point accounted for 14% of all breaches, representing a volume three times (180%) greater than 2023. According to the report, this increase was driven by zero-day vulnerabilities that ransomware actors leveraged. 

Other key findings include: 

• 32% of breaches included a form of extortion, including ransomware.
• Between 24% and 25% of financially motivated security events involved pretexting over the past two years. 
• Over the last decade, 31% of breaches involved the use of stolen credentials.

Security leaders weigh in 

Saeed Abbasi, Manager, Vulnerability Research at Qualys Threat Research Unit:

“The 2024 Verizon Data Breach Investigations Report (DBIR) highlights cyber threats that are evolving and increasingly complex in our interconnected world. These findings spotlight a crucial theme: today's cyber threats are' dynamic and increasingly sophisticated in nature. 

“Here are my takeaways this year: 

• Adaptive threat landscape: The report details a notable increase in ransomware, extortion techniques, and vulnerability exploitation, showing that cybercriminals are becoming more adaptive and opportunistic. They effectively utilize everything from zero-day vulnerabilities to social engineering tactics like phishing to penetrate systems. 
• Convergence of threats: It also notes an evolution of ransomware into more complex forms of extortion, marking a convergence of threats where different attack methods merge into hybrid tactics. This convergence complicates organizations' ability to predict and defend against attacks as the distinctions between attack types become increasingly blurred. 
• Human element in cybersecurity: This highlights the rapid rate at which individuals fall for phishing scams, the DBIR underscores the critical importance of human behavior in cybersecurity. It advocates for a dual approach that focuses on technological defenses and emphasizes the need for comprehensive user education and behavioral adjustments to bolster security. 
• Strategic vulnerability management and holistic defense mechanisms: The 2024 Verizon DBIR emphasizes a critical increase in vulnerability exploitations, highlighting the need for urgent, strategic vulnerability management. We advise organizations to implement comprehensive, proactive strategies, including agent-based and agent-less security measures, to preempt potential breaches. Additionally, organizations require a multi-layered defense strategy, integrating advanced detection tools, zero-trust frameworks, and rapid patch management. 

“Given the increasing complexity and interconnectedness of supply chains, this holistic approach to cybersecurity is essential. These networks are often targeted by cyber threats, affecting not just individual organizations but also extending to third-party interactions and the broader supply chain. 

• AI, Machine Learning, and Quantum Computing Threats: The proliferation of AI and machine learning is expected to be leveraged by both defenders and attackers. AI can swiftly predict and counteract attacks but may also be used to develop more sophisticated cyber threats. Additionally, as quantum computing advances, it poses a potential risk to current cryptographic protocols. Organizations should prepare for this by developing quantum-resistant cryptography to safeguard data against future threats.” 

Patrick Harr, CEO at SlashNext:

“With the rapid growth of AI technology, combined with limited regulation, it’s important for the tech industry to develop tools and processes that can assist in protecting AI technology systems.

“Everything in security needs to become more human ID-centric rather than network-centric. At the end of the day, we are far better off by providing access through human identity-centric methods and using AI to make that human a super-human. So rather than relying on a training simulation approach for users, we can rely on AI augmentation for that, so users don’t have to be tricked into clicking on bad phishing links, for example. 

“We have to shift our posture from a network-centric to a human-centric security posture. We will put an AI bubble around the user to become a super-human with an extra pair of computer vision eyes, and an ability to listen with spoken language contextualization by using AI. Everyone has talked about a personal co-pilot to help from a security posture, and we will see the rise of these AI co-pilots to augment humans and help users make the best decisions.  

“This problem will not go away and will only get worse. Anywhere there is money and opportunity and data, which is across every industry, there will be attacks. This is a horizontal problem for all industries, not a vertical problem. The bad guys will always look for wherever the most sensitive data is based to target their attacks.” 

Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens:

“With the increase in digital business-as-usual, cybersecurity practitioners are already feeling lost in a deluge of inaccurate information from mushrooming multiple cybersecurity solutions coupled with a lack of cybersecurity architecture and design practices, resulting in porous cyber defenses. Business leaders are realizing that investments in microsegmentation will force the IT and security teams to begin developing digital business context-based cybersecurity architecture and design because microsegmentation is the last line of defense during a cyber-attack. Security and risk leaders will leverage the pan-optic visualization capability of microsegmentation to build immediate cyber defenses to protect digital business as usual, even during severe cyber-attacks.” 

Nick Rago, Vice President, Product Strategy at Salt Security:

“As architectures become increasingly complex, combined with more dependencies on third party code and services, supply chain attacks targeting software dependencies and operational third-party providers will continue to escalate. Especially as threats actor techniques become more stealth and harder to detect.

“In the wake of successful attacks over the past year, social engineering attacks are set to continue and with more sophistication. As a result, zero-trust mindsets should be applied to every communication medium, including corporate email, text message, or phone call. The education and re-education of employees must continue. 

“API attacks will also continue to increase at an alarming rate as organizations struggle to manage the chaos of API sprawl stemming from API-first innovation and digitalization. On the flip side, it is likely organizations will allocate more budget towards API security in the new year given its increased importance. In Salt Security's State of the CISO report, 95% of CISOs surveyed said API security is a planned priority over the next 24 months.”

Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint:

“AI is coming and resistance is futile. While we see the great potential AI can have to help us in our work, we must make sure that we take advantage of these technologies responsibly and securely. In light of this, Security and Privacy professionals must work with their IT and business counterparts to develop and implement Generative AI Acceptable use policies. This should include data privacy and confidentiality, access to generative AI, and responsible use of generative AI. Putting these guardrails in place is critical. 

“In addition to developing acceptable use policies, ensure that you have ongoing training for employees so that they are aware and can act responsibly. Especially given how quickly applications of AI and machine learning have impacted our work, and how quickly this technology changes, security and privacy teams need to be agile in the new year.

“Successful adoption of AI in a security and privacy centric way will be as good as the basic data governance and life cycle management program you’ve implemented in your organization. As we say and have said for many years with regards to migration to the cloud: if you put garbage in, you'll get garbage out. So, it's important to clean up your data and make sure its properly governed before serving it up to AI on a silver platter. Otherwise, you may end up finding that security by obscurity is no longer a fallback defense.”