In April, the cybersecurity world hotly anticipates the arrival of the Verizon’s annual Data Breach Investigation report. The deTECH team always takes some time to investigate the investigation and provide a digest of some interesting takeaways. If you would like to read it for yourself, you can go here. Or if you want to drill down and actually interact with the data, go here. Without further ado, here is our analysis of the 2018 Verizon DBIR Highlights.

2018 Verizon DBIR

73% of breaches were perpetrated by outsiders.

Juxtapose this number with the financial reporting malfeasance of the early ‘00s that resulted in the Sarbanes-Oxley Act aimed at reducing internal financial reporting fraud. SOX controls focus heavily on mitigating internal risks around user access, security monitoring, and other IT general controls. Although the risks differ (internal financial reporting fraud versus technical cybersecurity threats), many of the mechanisms implemented as a result of SOX can contribute to strong threat mitigation from these external, technical threats. And from an enterprise risk perspective an entity always be cognizant of where its risks exist, not just focus on compliance-related risk (like SOX controls)

58% of victims are categorized as small businesses.

So often, SMB’s approach to cybersecurity is “that’s an IT problem and we have an IT person so we’re fine”. Sorry Charlie, wrong answer. If over half of breach victims are small businesses and they have a small technological footprint, their cyber exposure should be relatively easy to minimize. SMB owners should consider cybersecurity risk equally yoked with business risks like fraud risk, reputation risk, or bad customer service. A good starting point is to review and implement key IT controls from a framework like NIST Cybersecurity Framework or the Center for Internet Security’s Top 20 Controls. Often, minimizing your risk doesn’t cost anything: minimizing administrator privileges, updating the software or firmware on your firewall and routers, using the access configuration tools to reduce unnecessary access, and turning off unnecessary services on your systems pointing toward the internet.

Almost 90% of breaches have one of two motives:

Either financial or strategic advantage (espionage) were the two primary motives of the breaches investigated, and of the two, financial motivation is in the 70% range. You could file this one under “duh” but it’s still worth consideration. That’s why it is always important to pay close attention to how actual money moves into and out of your business and build in controls both at a technical level an operational level to reduce the risk.

You don’t have to outrun the bear:

One of the first deTECH articles we ran in 2012 showed that your organizations don’t have to be perfect, just better than most. The 2018 Verizon DBIR report seems to continue indicating a similar approach. “Let’s get the obvious and infeasible goal of ‘Don’t get compromised’ out of the way. A focus on understanding what data types are likely to be targeted and the application of controls to make it difficult (even with an initial device compromise) to access and exfiltrate is key”. Again, you don’t have to be perfect, you just have to make it so difficult that the attackers move on to the next guy.

2018 Verizon DBIR

The 2018 Verizon DBIR report is full of fascinating information and we encourage you to read through it, especially the sections applicable specific to your industry. These findings only scratch the surface. So read it and protect your systems and your data.


Bryan NewlinBryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.