Blog post

Highlights from Verizon DBIR 2019

By Anton Chuvakin | May 10, 2019 | 5 Comments

Here is my traditional “reading the DBIR aloud” post. Read the entire thing, BTW, and not only my favorites below:

  • 56% of breaches took months or longer to discover” <- we need to start this on a depressing note, otherwise, how can we be card-carrying security professionals? 🙂
  • “Errors were causal events in 21% of breaches” <- perhaps mundane, but it reminds us that in many cases (great example), the attacker does not have to work all that much because somebody left the door open…
  • In fact, “… the presence of insiders is most often in the form of errors” (so, nope, still nobody cares … except perhaps this: “healthcare stands out due to the majority of breaches being associated with internal actors.”)
  • “At most, six percent of breaches in our data set this year involved exploiting vulnerabilities.” [What did they involve then? Glad you asked! But, hey, you already know the answer – “phishing and stolen credentials”…]
  • ”Malware delivery method: email – 94%” [Anybody here thinks email security is solved, eh? Is anything solved in security?]
  • “breaches with compromised payment cards [hi PCI DSS!] are becoming increasingly about web servers” [personally, I blame DevOps for this nice bit of depressing backwards security movement :-)]
  • In fact, things are more fun on the web: “The web application compromises are no longer attacks against data at rest. Code is being injected to capture customer data as they enter it into web forms.” [So, stop whining about PCI DSS, will you? This scenario has been well-covered by QSAs for years, its just that some clients didn’t want to hear it and relied on “but we don’t store cards” excuse …]
  • “It is important to acknowledge that there will always be [vulnerability] findings. The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities; and to be able to defend acceptance of unaddressed findings.” [this is literally the entire art and science of vulnerability management in one pithy line. Kudos to authors!]

There you have it!

P.S. This year the report is again very readable and fun, better than last year’s for sure.Thanks Alex? 🙂

Past blog posts about DBIR:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Fortune Barnard says:

    Thanks Anton. May I add the interesting one for me… 34% of attacks involved internal actors.

  • Karthik Krishnan says:

    By no one cares about insiders, are you saying it is not “malicious insiders” but “accidental insiders”?
    Because 34% is a large number

  • Amazing that 94% of malware is delivered via email, but roughly 1% of the security market $ is focused on email security? Mis-allocation?