What Verizon's Latest Hacker Report Tells Us (And What to Do About It)

Alright, it’s that time of year again! The new Verizon Data Breach Investigations Report (DBIR) just dropped; as usual, I’ve been digging into it. I find digging into the details helpful, and based on past reports, it generally rings true.

This year’s report (number 18, if you can believe it!) has some juicy bits. A few things are definitely changing out there. Here are the five big takeaways that really jumped out at me and should probably be on your radar.

1. Hackers Are Finding More Holes (Not Just Stealing Keys)

For ages, the number one way hackers got in was simple: stolen passwords. That’s still a massive headache, don’t get me wrong. But something else is seriously catching up – attackers exploiting weaknesses in software and devices, especially the stuff we leave hanging out on the internet edge, like VPNs and firewalls. They’re getting fast, too. The report says they often pounce within just a few days of a flaw being announced, sometimes even faster (often immediately for those edge devices!). Defenders, meanwhile, are taking about a month on average to fully patch these critical edge flaws. That’s a tough race to win. It really drives home that anything facing the internet should be treated like it’s already got a target painted on it. Patching must be almost automatic, and if you can’t patch something super quickly, you better find another way to shield it.

License to Hack: Espionage Nearly Tripled!

Here’s a twist the report emphasized this year: Espionage is way up. It nearly tripled as a motive behind breaches. How are these spies often getting in? Yep, through those same software vulnerabilities – a large majority of the time for espionage breaches! So, patching those internet-facing systems isn’t just about stopping ransomware gangs; it’s also increasingly about keeping state-sponsored actors out.

2. Ransomware’s Still a Pain (Even if Fewer Are Paying)

Ransomware attacks are actually up, showing up in nearly half the breaches Verizon looked at. Yikes. But here’s a glimmer of hope: more companies are refusing to pay the ransom (a solid majority now!), and the average payout has dropped. It may be working. It seems to be forcing the ransomware gangs to switch things up – they’re hunting for cheaper ways in (like those software flaws or buying stolen passwords from info stealer logs - the report found many ransomware victims had credentials floating around beforehand!) and sometimes just threatening to leak data instead of locking it up. Side note: Ransomware hits smaller businesses disproportionately hard and is involved in most SMB breaches compared to a much smaller fraction in large organizations. Being ready to say “no” to ransoms clearly pays off, but that requires having the backups and recovery plan to make it feasible. We must assume our company’s passwords are for sale and focus on spotting intrusions early before attackers dig deep.

3. People Still Make Mistakes (But Robots Are Helping Hackers More)

Yep, the “human element” - clicking bad links, messing up settings, sending emails to the wrong person - is still a factor in most breaches. But that number actually dipped slightly. Why? Because the attackers are getting better at automating their dirty work, like scanning for those vulnerabilities or trying out millions of stolen passwords. When people are the weak link, it’s the same old story: reusing passwords, accidental emails, and cloud misconfigurations. One new trick is “MFA fatigue,” they spam you with login prompts, hoping you’ll eventually just hit ‘approve.’ While training still matters, the goal should shift less towards never clicking and more towards always reporting weird stuff, fast. Alongside that, we definitely need login methods (MFA) that aren’t so easy to annoy people into bypassing.

4. Your Partners’ Problems Are Your Problems (Now More Than Ever)

Remember MOVEit? Snowflake? 2024 was the year we learned that a security slip-up at one company can spread like wildfire through its customers. The DBIR says breaches involving a third party (think suppliers, software vendors, cloud services) doubled, and they are now involved in about three out of every ten incidents. Ouch. It’s not just data theft; look at the chaos when critical service providers go down. This means we must take a much harder look at the security of the companies we partner with. It’s paramount to know who connects to what and who holds your data and to monitor logins from partners as seriously as we watch our own admins.

5. AI Isn’t Hacking Us Yet (But We’re Leaking Data To It)

Is ChatGPT writing killer malware? Not according to Verizon, at least not yet. The entire AI risk right now is much more ordinary, mostly us. People use AI tools on work devices, often signing up with personal emails and sometimes feeding them sensitive company documents or code without thinking. That’s the danger today – accidental data leaks. So, it’s less about fighting Skynet and more about getting back to data handling basics. We need clear rules about which AI tools are okay and strong controls to stop sensitive info from being uploaded where it shouldn’t be.

The Bottom Line?

Attackers are getting quicker, using automation effectively, and finding new angles like increased espionage. This demands faster patching from us, especially on critical edge systems. We must assume credentials will be compromised. As the report suggests, thinking “Assume Access, Ready Defenses” helps focus on post-entry controls. Partner security is now directly tied to our own operational resilience, requiring serious vetting. Training should empower users to report suspicious activity promptly, aiding faster response. And don’t let AI buzz distract from crucial data handling basics today. It’s the familiar security battleground, but the pace is quicker, and the potential impact is wider.

Stay safe out there!