Executive Takeaways From the 2017 Verizon Data Breach Investigation Report (DBIR)

Posted: 30th November 2017

Editor’s Note: The following blog post is a summary of an RFUN 2017 customer presentation featuring Marc Spitler from Verizon Security Research.

Key Takeaways

    - There are an exponential amount of threats out there. Don’t worry about all of them, but rather, identify your business’s greatest risks and focus security investments on those areas. - Remember to cover the basics. People are still falling for phishing (one in 14 users) and failing to set strong passwords. These are fundamental security controls that can save you a considerable amount of difficulty if properly maintained. - People commonly rely on long-established ways of doing things, which means that many businesses are relying on legacy defense techniques. Even if a major incident doesn’t come to pass, it’s critical to align security tools and solutions with the threats that businesses similar to yours are actually facing; otherwise, your strategy is significantly less effective.

For the tenth year, the Verizon Data Breach Investigations Report (DBIR) was released, focused on exploring the current cybersecurity landscape. The 2017 DBIR report combined the experience of 65 organizations to provide a detailed overview on the state of cybercrime today, featuring the analysis of over 40,000 incidents, including 1,935 data breaches. Overall, the goal of the report is to provide insights and help organizations prioritize and discover new ways to protect against threats.

With the constant publishing and distribution of various reports on cybercrime and breaches, it can be difficult to bring information to a high level that will not only bring awareness and benefits to security professionals, but also to executives who oversee security programs — which is why the executive summary was released in concert. With the overflow of information out there, it’s key to be able to make plain what’s actually happening to real people and businesses, as well as what their losses look like.

Further, given the rate of attacks, one can imagine the variation of incident and breach types; so many that it’s difficult to quantify. Luckily for businesses and their security teams, most incidents and breaches fall into a much smaller number of patterns, so while the rate of cybercrime shows no signs of slowing, that doesn’t mean that decision makers need to be worried about every single type of threat.

Here’s what the report covered:

  • Types of actors
  • Tactics used
  • Victims
  • Common occurrences in cybercrime

Commonalities and Patterns of Incidents

The bad news is that in one year, over 40,000 incidents and nearly 2,000 confirmed data breaches occurred. The good news is that 98 percent of incidents and 88 percent of breaches fall into one of the following incident classification patterns:

  • Miscellaneous errors
  • Privilege misuse
  • Physical theft and loss
  • Denial of service
  • Crimeware
  • Web application attacks
  • Point-of-sale intrusions
  • Cyberespionage
  • Payment card skimming

Malicious actors are always evolving their tactics, but their strategies have actually not changed much over time, so understanding how they work is a critical component of protecting your business from cyberattacks. Identifying patterns arms security teams with better information on how to optimize the resources available to them. Plus, patterns shed light on where danger is lurking for your organization and industry. With this knowledge, new initiatives like building applications or processes can be executed with security built in. A quick snapshot of a few incident classification patterns:


  • Attacks linked to state-affiliated actors and/or the motive of espionage.
  • Malicious emails are the preferred method of access, usually followed by trying to blend in to have enough time to gather data of interest.

Internal and Privilege Misuse

  • Classified as any unapproved or malicious use of access to internal resources.
  • 60 percent of insiders are financially motivated.
  • 17 percent of insiders are simply curious, snooping without sanction.
  • 15 percent of the time, data is taken for a new employer or to become a competitor.

Denial of Service

  • Any attack intended to compromise networks and systems availability.
  • 98 percent of DDoS attacks target large organizations.
  • Most attacks end within a few days.

Comparison by Major Industries

The differences in tactics used against your respective industry compared with those used with other industries are striking. Knowing which threats your business is most likely subject to allows you and your security team to align defenses with the most likely risk areas.

  • In financial services, 88 percent of incidents were either denial of service, web application attacks, or payment card skimming.
  • 81 percent of breaches in healthcare were because of privilege misuse, miscellaneous errors, or physical theft and loss.
  • For manufacturing, 96 percent of breaches were attributed to cyberespionage, privilege misuse, and “everything else,” or, any incident that did not classify as one of the nine patterns.

As can be seen from analysis on the above three industries, profiles for each vary greatly. That’s why it’s key to be cognizant of the fact that while a comprehensive approach to security is valuable, investing in the technologies that best address your greatest risks is important, too.

Primary Findings That Affect All of Us

In considerations of the report findings as a whole, there are several conclusions that all businesses should be aware of.

First, the “main play” is still phishing that leads to installation of malware, followed by using stolen credentials to advance attacks.

Malware is very ubiquitous — entering email via malicious attachments, with the most common transports being JavaScript and Microsoft Office documents. Ransomware is the top functionality of malware within crimeware, with a 50 percent increase in the last year.

Espionage remains a serious problem, with assaults usually beginning with phishing emails.

And lastly, overall, the number of records lost in breaches is still on the rise.

Focus Your Defenses

While there were indeed nearly 2,000 recent data breaches, there are not nearly 2,000 problems that have to be solved, so there’s no need to worry about every last threat. The numbers that represent security incidents and breaches can be boiled down to identifying relevant assets, actors, and actions, and whether your respective business and industry are at high risk. Identify what matters most to you.

Similarly, when it comes to generating useful threat reports, it can be exhausting to wade through massive amounts of information, which is where advanced threat intelligence and experienced analysts become necessary. You’ll be empowered to sift through the massive amounts of data and convert information that’s relevant into actionable insights. Real-time harvesting of both open and dark areas of the web shifts the emphasis from reactive to proactive, and gives you the intelligence you really need in a sea of potential threats.

Take a look at patterns so that if you’re the CEO, rather than a technologist, you can see what sorts of threats are affecting your business at a very high rate, and find out what you’re doing about it. Marc Spitler

Verizon Security Research