The 2020 Verizon DBIR: If Nothing Changes, Then Nothing Changes

This week the 13th edition of the Verizon Data Breach Investigations Report (DBIR) was released, which is usually a hallmark event of the cybersecurity world. As we have been in previous years, BitSight is proud to be a data contributor to the report. After taking some time to give it an initial read through, however, one thing stood out loud and clear to us: how little has changed after 13 years.

Going back to revisit the 2019 and 2018 reports, our suspicions were confirmed-- sure a few percentage points have changed here and there, but overall the state of the cybersecurity world is much the same.

Does this mean the DBIR is irrelevant? A relic of a bygone era that we cling to because we always have?

Hardly.

Our main takeaway is that Instead the 2020 DBIR is another excellent, very well-researched piece of work that illustrates the need for change in our industry. Security and risk leaders appear to be doing the same things, year in and year out, with the same predictable results. If those results reflected perfect performance, the lack of change would be comforting. But instead the report shows that while the attack methods evolve (see: the rise in ransomware), organizations of every size continue to be vulnerable to breach.

So we here at BitSight would say that rather than dismissing the report as more of the same, it should serve as a clarion call to security pro’s everywhere that we need to rethink how we approach security, and a data-based demonstration that we need to break out of old habits and old thinking.

What Stood Out?

At 119 pages the DBIR is a lot to digest, however a few things already stood out to us as we dove into the report, and took a glance back at last year’s:

1. The “Error” section was clearly alarming, and to our minds clearly demonstrated the limits of technology. Organizations need to move away from a mindset of following a traditional security blueprint, and focus on getting visibility into where risk is concentrated in their footprint.
2. Cloud assets were involved in 24% of breaches this year, with SaaS (software as a service) called out specifically. 40+% of those breaches came from web apps, moving from the #3 to the #1 spot this year, rapidly overtaking desktop as the top source of breach. Third-party vendors present a real and growing threat to organizations.
3. Organizations continue to have an asset management problem. According to the DBIR, half of all companies are present on seven or more networks. Getting visibility into your entire asset footprint and understanding your extended attack surface is critical.
4. The major bright spot in the 2020 DBIR is the dwell time of breaches. In 2019 56% of breaches took months or longer to detect. In 2020 81% were resolved in days or less.
5. Organized crime continues to be the major driver of malicious activity. This is interesting given the media attention given to state-sponsored breaches.

Our Key Takeaway

Our big takeaway from the report is that security is still approached as a tactical security problem, instead of as a strategic risk problem.

As we’ve already said, what jumped out was how little has changed in terms of the breach numbers. What is interesting, however, is even as business evolves, the success of bad actors remains the same. As more business migrates to the cloud and web-apps, bad actors are adopting their methods and changing things up to stay one step ahead.

Simply putting in the same firewalls, using the same security controls, and conducting the same anti-phishing training is not going to change the status quo. Security and risk leaders need to change their thinking and focus on gaining visibility into the attack surface, incidents of human error, where risk is concentrated, and objective metrics to drive accountability for improvement. Without making these changes, we fear that the 2021 Verizon Data Breach Investigation Report will look much the same as it did in 2020...and 2019...and 2018.