Skip to content

Key Takeaways from the 2019 Verizon Data Breach Investigations Report


The Verizon Data Breach Investigations Report 2019 is now publicly available to download or read online.

It’s the 12th edition, and not surprisingly, it reveals that cybercriminals are still successfully using their hacking techniques—many of which are very common—and that we have failed to stop them. However, we are getting better at stopping them.


Based on an analysis of more than 40,000 security incidents (including 2,013 confirmed data breaches,) the Verizon Data Breach Investigations Report reveals that cybercrime has a far-reaching impact and leads to increased costs for businesses globally.  While this number is lower than last year’s 53K analyzed incidents, the actual cost of cybersecurity is getting greater each year.

The world has witnessed an overall increase in cyberattacks, data breaches, data leaks, and espionage. This year’s World Economic Forum Report lists cyber threats as the fourth greatest risk to world economies, behind climate change and natural disasters.  Governments are taking cybersecurity seriously, increasing spending on both defensive and offensive countermeasures to combat the problem.


The Verizon DBIR helps cybersecurity professionals determine where we are failing to prevent cyber threats and where we must focus our future efforts as we work to improve security.

The most successful attacks occur in 5 steps or less

This year the report confirms that cybercriminals are successfully hacking into companies and governments around the world in less than 5 steps. They are also very cost-sensitive, using the most common techniques and the cheapest methods to exploit our security.


A clear indicator in the Verizon DBIR is that cybersecurity is about finding the right balance between humans and technology.  Many of the incidents and breaches confirm that cybercriminals use hacking techniques that exploit vulnerabilities in both applications and humans. Technology alone can’t protect your identity or sensitive data.

Cybercriminals and other threat actors target people, seeking ways to manipulate them into giving up sensitive information unknowingly. They do this because it’s the easiest way to get at valuable data using a technique known as social engineering.  It’s not surprising that people are the weakest link in the cybersecurity chain, and yet also the best hope for preventing a cybersecurity disaster.

There is much complexity in the cybersecurity industry, and it is crucial that we make technology simpler and easier to use if we want people to adopt the solutions we offer.  We must get the balance between people and technology right. The future of cybersecurity lies in making it simple.

Below are my key takeaways from this year’s report


No victim is too big or too small.  Everyone is a cyber-attack target and it is only a matter of time before you become a victim.  Sometimes you might be a direct target, other times a secondary victim as part of a supply chain, or simply just a target of opportunity.  If you are in the public sector you are more likely to be the target of a cyberattack. 16% of breaches hit the public sector with local governments, councils, and cities all incurring major financial costs from ransomware. 15% of breaches hit the healthcare industry as medical records are a desirable target, followed by 10% hitting the financial industry as financial gain continues to be the top motive for cyberattacks.

Top industries hit by breaches:

  • 16% were breaches of public sector entities
  • 15% were breaches involving healthcare organizations
  • 10% were breaches of the financial industry

43% of the victims were small businesses which means that any size organization can be a target.

All organizations large or small must have an Incident Response Plan in place to ensure they can recover from a cyberattack.

Download our Cybersecurity Incident Response Plan Template here.


Attribution is probably the most difficult task in cybercrime. Challenges include misdirection and a lack of digital footprints to help lead to the cybercriminals who are often located in another country and living under different laws.  It is interesting to see the report’s findings on attribution:

  • 69% are perpetrated by outsiders
  • 34% involved internal actors

Not much changed in the trends between threat actors.  Though it’s a surprise that botnets are not included as they typically represent threat actors using automation to assist with finding the attack path that will be the most successful entry point.

Organized criminal groups were behind 39% of breaches. This demonstrates that cybercrime is a lucrative business for criminals, and they are more likely to get away with the crime now than ever before.

Actors that identified as a nation-state or state-affiliated were involved in 23% of breaches

Attacks perpetrated by cyber mercenaries are increasing as they continue to carry out both nation-state cyberattacks and financially motivated attacks. If they do not target their own country their governments turn a blind eye, particularly in cases where they assist the government in gaining some type of political or economic advantage.  This makes it difficult to know for sure whether the cybercrime group was acting alone or under the influence of a nation-state.


When performing digital forensics, I look for the motive for the cyberattack. It is always important to understand why the cyberattack occurred in the first place.  You will usually find that it is financially motivated, so following the money trail is part of any investigation. If you struggle to find a financial motive, then you follow the techniques used to determine who has the capabilities.

  • 71% of breaches were financially motivated
  • 25% of breaches were motivated by gaining some type of strategic advantage (espionage)

Espionage is on the increase and more nation-states are using cyber now as both a political and economic tool to gain an advantage over other nation-states.

Another trending breach type is opportunistic criminals attacking and compromising numerous victims.

Surprisingly, organized crime has dropped over the past few years while crimes driven by System Administrators and nation-state actors have increased.  This is typically an indication that internal employees are walking out the door with sensitive corporate data (to benefit their future career and competitive advantage,) or that systems are poorly configured.


It is critically important that organizations know how cybercriminals target their victims.  Knowing how cybercriminals subvert security systems and gain access to systems containing sensitive information helps organizations understand how they could become a target, and what they can do to reduce the risk and make it more challenging for attackers.  I continually advise organizations to educate their teams on the latest hacking techniques as they can better understand where their business risks are and what they can do to reduce those risks.

  • 32% of breaches involved phishing
  • 29% of breaches involved the use of stolen credentials
  • 56% of breaches took months or longer to discover

Social Engineering is on the rise and people are the target

Password reuse is one of the culprits that enables cybercriminals to probe various internet services and gain unauthorized access to email, employee networks, social accounts, bank accounts, and sensitive corporate information.

Slow reaction time is another.  Organizations react slowly to data breaches, with most breaches lasting for months and taking even longer to discover.  This slow reaction time has a serious impact on the total cost of breaches.

Ransomware continues to see more global use and financial impact.  Ransomware is now considered a commodity that no longer requires significant technical expertise. If you have a computer and an internet connection, you can obtain ransomware and target a victim.  Ransomware is easily within the reach of common criminals, so we’ll see an increase in use.

DDoS (Distributed Denial of Service) attacks to cause major disruption and are often paired with other hacking techniques that are sometimes used for misdirection—while organizations are busy dealing with keeping their services running the cybercriminals are carrying out a crime elsewhere on the network.

Employee carelessness and errors still cause many incidents, and phishing is particularly common as cybercriminals know that a high percentage of employees will click on a hyperlink or open an interesting attachment, and at that point, it’s game over.  The good news is that cyber awareness training is working, and employee clicks have decreased.

Cybercriminals persist with identity and credential theft.  In fact, identity theft has increased by record numbers in recent years and is the primary focus of many cybercriminals. This is because it’s much easier to steal a trusted insider’s credentials and bypass traditional cybersecurity controls than it is to break through the firewall.

What are the causes of incidents and data breaches?

Top Security Incidents:

  1. DoS (Denial of Service) Attacks
  2. Data Loss
  3. C2 (Command and Control)

Top Breaches:

  1. Phishing
  2. Use of Stolen Credentials
  3. Backdoors or C2 (Command and Control)

Email is still the top delivery method of cyberattacks and Office Documents are the top file types used to infect systems. Phishing is the most common technique used to gain trust. The human is the top target as so many are likely to click on the links or unknowingly give over their credentials—including their password.

Top Hacking Techniques:

  • Email is the #1 delivery method
  • Office Document is the #1 file type
  • Phishing is the #1 technique
  • Human is the #1 target

Privilege Abuse is a problem for organizations that fail to implement Privileged Access Management solutions. As a result, their employees have high-level privileges that are typically unnecessary to perform their jobs. These privileges go unmanaged and unprotected, leaving the organization exposed to unnecessary risk.


A comprehensive cyber awareness training program helps an organization reduce the risk of easily becoming a victim of a cyberattack.  The trend in the Verizon DBIR shows that employees are now less likely to click on a malicious email than in previous years and indicates that they are being more cautious about email threats.  We need to keep up the momentum and make employees a defensive asset in our cybersecurity strategy, not one of our greatest weaknesses.

Download Delinea's award-winning Cybersecurity for Dummies book to help in your continuous employee cyber awareness training:

old - Cybersecurity for Dummies

Outsmart Cybercriminals

Delinea's cybersecurity experts share their knowledge in free eBooks and guides.


Cybersecurity for Dummies is free and delivers a fast, easy read that describes what everyone needs to know to defend themselves and their organization against cyberattacks.  It empowers your employees to understand and recognize the most common cybersecurity threats they face in their daily work and personal lives and includes topics like:

  • Recognizing cybersecurity threats—even the newest ones
  • Responding to a cyber-attack quickly, effectively, and appropriately
  • The top 10 actions for protecting yourself from a cyber-attack, at work, and at home

The 24-page eBook explains in simple terms how cybercriminals target their victims, what employees can do to reduce their risk, and how they can personally make it a lot more difficult for attackers to steal passwords and gain unauthorized access to sensitive information.


Only when you understand why cybercriminals carry out attacks can you act appropriately to reduce your risks and strengthen your cybersecurity defenses.  Typically, they attack for financial reasons, for espionage purposes, to act on a grudge, or for the fun of the challenge.


The data being stolen by cybercriminals in data breaches are personal information, payment details, medical info, credentials, and internal IP.


Your organization is most likely to be a victim of ransomware or malicious malware via a simple email. It only takes one employee to click on a malicious link or attachment to give a cybercriminal a foot in the door to a much larger cyberattack.

Phishing emails most often use 3 key methods to gain the victim's trust: Fear, Time, and Impact.  Phishing emails will use those methods when the employee is most distracted by other tasks.

Data is one of the most targeted assets in a company and knowing what data you have and how it is protected is one step in knowing the risks to your business. The top targeted data assets in the Verizon DBIR show the data that has the most monetary value to cybercriminals.

Top Data Asset Target:

  • Internal Data
  • Credentials
  • Personal
  • Medical
  • Payment

It’s worth noting that privilege abuse is consistently in the top 3 incidents and breaches. 


The Verizon Data Breach Investigations Report is always an eye-opening read and an excellent annual reality check for organizations globally. It keeps us all up to date on the past year’s cybersecurity activities, changes in techniques, and the growing trends.

“Understanding hacker techniques and processes are the best way to defend against cyberattacks, and focusing on business risks is the best way to get security budget, according to an ethical hacker” – Joseph Carson

Cybersecurity has become part of everyone’s daily life and can no longer be separated into personal and work life. Once only a concern in the workplace, today cyberattacks are more common and affect everyone connected to the internet.

I predict that cyberattacks will be the biggest threat to every human being and business on earth and will trigger future wars and political instability.

Want to avoid becoming the victim of a data breach? Start with this:

  1. Educate everyone in your organization on the fundamentals of cybersecurity—no matter their position.
  1. Use cybersecurity and Privileged Access Management software that’s people-friendly—when it’s easy to use people will use it.
  1. Implement Multi-Factor Authentication for emails and all sensitive privileged accounts.
  1. Enable encryption to protect user credentials and privacy.
  1. Automate the management and security of privileged access using a full-featured PAM solution.

IAM, PAM, PEDM... What do all those acronyms mean?

Get the answers in our cybersecurity glossary.