The 2020 Verizon DBIR: If Nothing Changes, Then Nothing Changes

Brian Thomas | May 26, 2020

This week the 13th edition of the Verizon Data Breach Investigations Report (DBIR) was released, which is usually a hallmark event of the cybersecurity world. As we have been in previous years, BitSight is proud to be a data contributor to the report. After taking some time to give it an initial read through, however, one thing stood out loud and clear to us: how little has changed after 13 years.

Going back to revisit the 2019 and 2018 reports, our suspicions were confirmed-- sure a few percentage points have changed here and there, but overall the state of the cybersecurity world is much the same.

Does this mean the DBIR is irrelevant? A relic of a bygone era that we cling to because we always have?


Our main takeaway is that Instead the 2020 DBIR is another excellent, very well-researched piece of work that illustrates the need for change in our industry. Security and risk leaders appear to be doing the same things, year in and year out, with the same predictable results. If those results reflected perfect performance, the lack of change would be comforting. But instead the report shows that while the attack methods evolve (see: the rise in ransomware), organizations of every size continue to be vulnerable to breach. 

So we here at BitSight would say that rather than dismissing the report as more of the same, it should serve as a clarion call to security pro’s everywhere that we need to rethink how we approach security, and a data-based demonstration that we need to break out of old habits and old thinking.

What Stood Out?

At 119 pages the DBIR is a lot to digest, however a few things already stood out to us as we dove into the report, and took a glance back at last year’s:

  1. The “Error” section was clearly alarming, and to our minds clearly demonstrated the limits of technology. Organizations need to move away from a mindset of following a traditional security blueprint, and focus on getting visibility into where risk is concentrated in their footprint.
  2. Cloud assets were involved in 24% of breaches this year, with SaaS (software as a service) called out specifically. 40+% of those breaches came from web apps, moving from the #3 to the #1 spot this year, rapidly overtaking desktop as the top source of breach. Third-party vendors present a real and growing threat to organizations.
  3. Organizations continue to have an asset management problem. According to the DBIR, half of all companies are present on seven or more networks. Getting visibility into your entire asset footprint and understanding your extended attack surface is critical.
  4. The major bright spot in the 2020 DBIR is the dwell time of breaches. In 2019 56% of breaches took months or longer to detect. In 2020 81% were resolved in days or less.
  5. Organized crime continues to be the major driver of malicious activity. This is interesting given the media attention given to state-sponsored breaches. 

Our Key Takeaway

Our big takeaway from the report is that security is still approached as a tactical security problem, instead of as a strategic risk problem.

As we’ve already said, what jumped out was how little has changed in terms of the breach numbers. What is interesting, however, is even as business evolves, the success of bad actors remains the same. As more business migrates to the cloud and web-apps, bad actors are adopting their methods and changing things up to stay one step ahead.

Simply putting in the same firewalls, using the same security controls, and conducting the same anti-phishing training is not going to change the status quo. Security and risk leaders need to change their thinking and focus on gaining visibility into the attack surface, incidents of human error, where risk is concentrated, and objective metrics to drive accountability for improvement. Without making these changes, we fear that the 2021 Verizon Data Breach Investigation Report will look much the same as it did in 2020...and 2019...and 2018.

cybersecurity kpi


Suggested Posts

CISO's Board Report Cyber Security Toolkit

When it comes to reporting to the board, there are plenty of tools at the CISO’s disposal. Looking at the right metrics and putting them in the right context can help turn your next board meeting into a source of confidence, not stress....


Is Single Sign-On Secure? SSO Benefits for Remote Work

Remote work has always introduced unique and evolving cyber risks. In our “new normal” operating environment, where entire workforces have gone remote, IT security teams are facing an unprecedented challenge.


Are Your Payment Card Vendors Maintaining PCI Security Standards?

The payment card industry (PCI) has long been a Holy Grail target for bad actors for obvious reasons. Visa, Mastercard, and American Express account for the bulk of the consumer financial activity in the United States. Breaching them would...


Subscribe to get security news and updates in your inbox.