Skip to content

Key Takeaways from the Verizon Data Breach Investigations Report 2022


Every year I anxiously await the publication of the Verizon Data Breach Investigations Report (DBIR). This annual tome is a virtual Mecca that draws a worldwide audience of security practitioners. We savor its insights and analysis of information security incidents and breaches.

Heavy on data gleaned from actual investigations, it can be a little dry for sure. But sprinkled throughout are lighter moments that help punctuate the gravity. (Be sure to look for references to Sasquatch, Area 51, and Unamused Baboons NFTs!)

The Verizon DBIR is more than just a collection of interesting stats

The Verizon Data Breach Investigations Report isn‘t just a collection of interesting stats for reference. It helps us better understand the mind of the cybercriminal and the tactics, techniques, and procedures they’re using daily. It also makes references to prior editions to help us understand how the threat landscape has changed over time. It’s an incredibly valuable asset that I encourage you to share with the rest of your IT and security teams to focus your security efforts and fortify your defenses.

Here are highlights that jumped out at me.

Focus on abuse and misuse of privilege

The Verizon Report points out many dangers that stem from abuse and misuse of privilege, including an administrator improperly implementing a patch, an insider doing something malicious, or a cybercriminal from the outside stealing data or installing ransomware.

The Verizon Report tells us that almost 40% of external incidents involved business partners. Companies trust vendors and partners with privileged access to systems. Due to increased outsourcing for roles that are difficult to fill with qualified candidates, they are giving out more of that access to third parties. As a result, vendors, contractors, partners, and other third parties can do more damage and often operate undetected.

We’re also experiencing the largest exodus of talent in history and with it, increased risk from insiders with privilege who know how systems work and where security controls are applied. Offboarding processes must ensure credentials and data don’t leave the organization with the ex-employee. Having full visibility into their access and the ability to disable it all with the push of a button or rotate all their account passwords is so important.

The human element is key to reducing risk

Plus ça change. Put another way, the more things change the more they stay the same. Whether security is our day job or we’re a “regular” end-user, we’re all fallible. Cybercriminals will continue to exploit our very human mistakes.

By empowering people with usable security solutions that keep them productive, you increase the likelihood that they will adopt security best practices and reduce manual errors.

Pay attention to securing all points of user ingress with secure remote access controls, MFA, and centralized, role-based policy management.

That said, no security technology can replace the need for continual security awareness training.

Layered defenses must fortify all pathways to the crown jewels

Organizations have lots of inroads that lead to sensitive systems and data. Each is a potential vector of attack and Verizon’s advice is to fortify them all.

Compromised credentials lead to ransomware attacks, which saw an increase in 2021 as large as the last five years combined.

Credentials are easy to obtain. Masquerading as a legitimate employee helps cyber criminals in many ways, such as avoiding detection. Cybercriminals use credentials to gain access at the borders of your network, on user workstations, network devices, servers, domain controllers, and privileged applications.

The recent focus on implementing a Zero Trust architecture reduces risk of credential compromise. It limits access according to the Principle of Least Privilege and ensures users are who they say they are.

Phishing is the gift that keeps on giving.

Remote work has increased the attack surface and a lack of security hygiene for home networks versus the office presents more opportunity for cyber attack. Again, compromising credentials and endpoint takeover are tactics to help cyber criminals move vertically to the server network and then laterally between servers, hunting for data.

Software vulnerabilities open the door to cyber criminals.

Regular patching to close off known vulnerabilities maintains the basic health and security of your systems, applications, and data. Layering additional PAM controls such as privilege elevation and MFA can prevent subsequent vertical or lateral movement when cyber criminals compromise credentials. More mature context-based PAM capabilities such as real-time behavioral analytics and machine learning can detect scenarios such zero-day exploits where static rules fail.

Early warning and rapid response are key to business recovery

Quickly discovering a breach in progress provides more opportunities to prevent it and reduce the fallout. On the positive side, according to the Verizon Report, organizations are generally detecting breaches in days rather than months. Unfortunately, it’s not discovery by security controls that provides the warning. Rather, says Verizon, threat actors are disclosing their efforts by leaving a ransomware note for the victim. or when selling the data on criminal forums on the Dark Web.

Technology can still help. It can prevent or hamper progress via least privilege and MFA applied at multiple access control gates, and with behavioral analytics more quickly detect and alert on anomalous activity. For example, if a breach is detected, as part of an incident response plan, you can automatically change all passwords, implement additional layers of MFA or approvals, or even revoke access to critical systems entirely until the breach is resolved, and forensics determines ransomware or other issues have been removed.

Cybercriminals wear suits

Teams of cyber criminals are well-oiled machines. They run like a business, with an eye on the P&L. We’ve seen a shift from opportunistic attacks to a more organized crime model. Teams may be on the clock, working on projects to deliver in specific timeframes for clients. They invest money in programs, funding development, target acquisition, channels for email and content distribution, and on methods such as ransomware to monetize the data they compromise. With defined project plans and teams of specialists working on fixed tasks in the attack chain, putting obstacles in their path (as mentioned above, such as MFA), can break that chain.

I encourage you to block an hour or two of your busy schedules to scan through the Verizon DBIR 2022

As Verizon DBIR 2022 notes “by understanding the transactions associated with this ecosystem, we can understand the key steps involved in attacks and work collaboratively to make those transactions more difficult, expensive or unsustainable for the attackers to circumvent our security and compromise our data and operations.”

I encourage you to block an hour or two of your busy schedules to scan through the Verizon DBIR 2022. It’s free to download from here. Alternatively, you may prefer to sit back, close your eyes, and listen to me, Joseph Carson, Chief Security Scientist, and Stan Black, Delinea CISO, in a 401 Access Denied podcast where we shared our takeaways. You’ll find many other super-interesting podcasts there, too.

You'll walk away armed to drive a more robust security agenda and better protect your organization.

Least Privilege Cybersecurity for Dummies

Start your least privilege journey here

The smart guide to jump-start your least privilege strategy.