What CISOs & Security Awareness teams can learn from the 2024 Verizon DBIR

Petri Kuivala, long-time CISO and CISO Advisor at Hoxhunt, has read every Verizon Data Breach Investigations Report (DBIR) going back 17 years. Get his perspective on the latest 2024 report and how it provides an opportunity for CISOs and security awareness teams.

Post hero image

Table of contents

The Verizon Data Breach Investigations Report (DBIR) is an annual report that offers an in-depth look at the largest sources of data breaches over the last year, in turn, helps security teams better understand recent attack methodologies and their potential impact on business operations.

There’s a ton of data and observations packed into each report – the 2024 edition is 100 pages long! The incidents described inside this report took place over the course of 1 calendar year, between November 1, 2022, and October 31, 2023.

I have read every copy of this report since it was launched 17 years ago. As a long-time CISO, I’ve always found it crucial to help me decide where to focus my efforts to mitigate the most risk.

Key findings of the report

As expected, the human element is still a leading factor in successful data breaches and cyber attack methodologies.

This year, DBIR says that 68% of the breaches involved a non-malicious human element, which is on par with previous years.

In its early years, DBIR was very technology-oriented, but over the last ten years or so, the human element of cybersecurity has increased dramatically.

When you look at the Figure 27 on page 29 of the report, you can see that social engineering is consistently among the top 3 reasons for breaches, oftentimes followed by miscellaneous errors.

Even the Web application attack category, which was this year's fourth but last year's 2nd, involves a huge human component. The report says on page 43 that 77% use stolen credentials, and on the next page, they disclose that phishing is the single biggest source of these stolen credentials.

In short, people are people, and the industry has not been excellent so far in helping users with behavior changes. 

The bad news

The DBIR also points out that breaches happen fast. The median time to click on a malicious link after the email is opened is 21 seconds, and then it takes only another 28 seconds to enter the data (Figure 39).

That leads to a frightening finding: The median time for users to fall for phishing emails is less than 60 seconds.

The good news

However, the report did point out that Phishing reporting rates have been increasing over time.

In security awareness exercise data contributed by partners during 2023, 20% of users reported phishing in simulation engagements, and 11% of the users who clicked the email also reported.

It’s, of course, great to see that phishing reporting rates are increasing over time. However, it concerns me to see that the average is still only around 20% of the organization reporting. I consider 50% or higher to be an acceptable threshold, which demonstrates that a company has created enough of a positive cybersecurity culture that training efforts actually makes an impact on real risk reduction.

Reporting is the way that I, as a CISO, can definitively measure whether or not my employees are able to identify threats and are performing the desired action of reporting. Without reporting, I am blind to the true risk that employee-based cyberattacks pose to the business.

At Hoxhunt, we see organizations who use our training do roughly 3 times better after just 1 year of consistent, personalized training. Over more time, that percentage move seven higher.

Key takeaways for security awareness teams

In conclusion, this report is just one of many source of data that CISOs should be using to inform their strategy to cybersecurity and human risk mitigation.

If anything surprises you from the report, ask yourself (honestly) if your current security program is such that it’s prepared for all of the changes in the report.

If a new trend is emerging – whether that be increasing popularity of a specific social engineering tactic or a new way to steal credentials – you’ll want to be ahead of it and prepare your workforce accordingly.

Access the full report from Verizon's website.

Want to learn more?
Get more cybersecurity insights like this