Five CISO Takeaways from Verizon’s DBIR

Phil Muncaster asks what CISOs can do to mitigate a surge in system intrusions, third-party risk and other threats

In the high stakes, high-pressure world of the modern CISO, fresh and accurate threat intelligence is highly prized. But where can the time-poor security leader find the data-rich sources they need to make the right decisions? One answer is the Verizon Data Breach Investigations Report, which has for over 15 years offered an annual snapshot of the global threat landscape. This year’s report is compiled from analysis of over 22,000 security incidents, including 12,195 confirmed data breaches.

As always, there’s plenty to unpack here. But the good news is that best practice cyber hygiene can provide a great foundation for managing the risks outlined in the report.

What’s new this year?

The headline this year is that the number of complex attacks using malware or hacking techniques virtually doubled over the past 12 months, to 53% of all breaches in EMEA. These “system intrusion” events were driven globally by a surge in ransomware, which is now present in 44% of breaches – up 37% annually. This is despite a drop in the median sum paid to digital extortionists and an increase in the share of victims refusing to pay. It could be that threat actors are going for more victims precisely because their returns are falling. That’s why SMBs are particularly badly hit: ransomware is now present in 88% of breaches in this segment.

“Awareness is a battle that organisations can never truly win.” Agnidipta Sarkar

How exactly are organisations falling victim to cyber attacks? The top three initial access vectors are credential abuse (22%) exploitation of vulnerabilities (20%) and phishing (19%). That’s perhaps not surprising. But dig a little deeper and there are some interesting details.

Verizon claims that over half of ransomware victims had their domains – mainly corporate email addresses – appear in infostealer logs, hinting at the source of these breaches. But “credentials” doesn’t simply refer to traditional usernames and passwords. The report explains that various secrets related to web apps, development environments, cloud infrastructure and databases were also in demand.

Breaches where vulnerability exploitation was an initial access vector increased 34% annually, fuelled by a surge in zero-day attacks – especially those targeting perimeter devices and VPNs. Exploits also account for 70% of espionage attacks. Unfortunately, while it takes a median of 38 days for a company to fully remediate one of their vulnerabilities, the figure is just five days for mass exploitation – dropping to zero for edge devices.

Although the share of breaches featuring “miscellaneous errors” and social engineering both fell from last year, humans remain a major source of security risk in organisations. Employees were involved in 60% of breaches – around the same as last year. Credential abuse by third parties, and “social actions” (ie phishing) were the most common issues here. AI-generated text in malicious emails has doubled over the past two years, the report claims.

However, threat actors are still behind most attacks, even if negligent insiders are unwitting accomplices. Their main motivation once again this year is financial (89%). Even when it comes to state-sponsored attacks, over a quarter (28%) of incidents now have a financial motive. Espionage also surged 163% in a year to account for 17% of breaches.

Finally, let’s not forget the persistent threat from supply chain partners. The percentage of breaches involving third parties has doubled in just a year to 30%.

Five tips for CISOs

With credential abuse, vulnerability exploitation and phishing leading the way as data breach initial access vectors, what can CISOs do to improve their corporate security posture? Experts Assured Intelligence spoke to have the following advice:

1. Customise training

   “Awareness is a battle that organisations can never truly win because humans generally don’t retain information that doesn’t directly impact them personally or professionally,” says Agnidipta Sarkar, VP CISO advisory at ColorTokens. “Therefore, to improve retention, awareness efforts should be customised to each employee, relevant to the specific digital activities being performed, and involve employees in sharing the awareness with others.”CISOs should complement such training programmes with stronger technical controls to eliminate adversary-in-the-middle (AiTM) attacks. These are an increasingly common way to intercept session cookies and one-time passcodes, he tells Assured Intelligence. 

2. Unify identity and access management (IAM)

   Effective IAM is essential if security leaders are serious about mitigating credential abuse, Pathlock CTO, Haviv Rosh, tells Assured Intelligence.

   “CISOs need to manage all identities under a unified access governance model.” Haviv Rosh

   “CISOs need to manage all identities – employees, contractors, partners, and service accounts – under a unified access governance model. Consistency in controls, visibility and enforcement is critical to reduce exposure across the full ecosystem,” he explains.“Credential theft remains a leading vector, and point-in-time authentication simply isn’t enough anymore. Identity security must be continuous – validating access not just at login, but throughout the user session based on behaviour, risk signals, and context. Trust must be dynamic and constantly re-evaluated.”

3. Harness the power of Generative AI (GenAI)
   

   “As powerful as AI is, it still requires significant human oversight.” James Scobey

   For Keeper Security CISO, James Scobey, GenAI is both a threat and an opportunity. One the one hand, it will empower attackers to create convincing deepfake video and voice calls to bypass identity checks and other security systems.“On the other hand, GenAI offers significant potential for bolstering defences. Security teams can harness AI’s ability to analyse massive datasets and detect patterns in real-time, identifying anomalies that could be indicative of identity fraud,” he tells Assured Intelligence.“AI-driven tools can enhance behavioural biometrics and continuous authentication by examining user actions over time, flagging deviations that might indicate impersonation. However, as powerful as AI is, it still requires significant human oversight. Skilled security professionals will remain essential in guiding these AI systems, fine-tuning their analysis and intervening when automated responses are insufficient.”

4. Prioritise CVEs for patching
   
   Vulnerability remediation is challenging as organisations often have to plan for and mitigate the impact of potentially costly business interruptions, which can lead to patching delays, argues Scott Caveza, senior staff research engineer at Tenable.”There are currently over 276,000 CVEs. While the risk each poses is different, it’s clear that remediating every vulnerability is just not possible,” he tells Assured Intelligence.“Instead, success is a combination of properly prioritising assets, understanding and classifying assets into categories based on severity and constantly improving each day. The more mature and refined an organisation’s security program becomes the greater likelihood that they’ll be better protected.”
5. Adopt a secure-by-design mindset
   
   For Gopal Padinjaruveetil, VP & CISO of the Auto Club Group of the AAA, argues that security must be baked into every business system and process.“Things don’t become or stay secure by themselves. It’s a conscious and continuous choice. The alternative to ‘secure by design’ is ‘secure by chance.’ Nothing is perfect, not in security and not in nature,” he tells Assured Intelligence.“CTOs want to ship products fast for business agility, where CISOs must ensure that innovation is secure. The ultimate challenge lies in keeping pace with business needs without introducing unnecessary risks or disruptions.  This means that building security by design essentially requires CTOs and CISOs to work together. Priorities have to be aligned, and siloes have to be removed.”

By standardising more on cloud platforms, CISOs can accelerate this process, he argues. Think of it as the first step of a long journey.