Verizon 2024 Data Breach Report shows the risk of the human element

Blog Thumbnail

Author: Mari Cherry Published on: October 10, 2024

Tags: cybersecurity awareness training human element in cybersecurity phishing security training

Verizon Business released its 17th annual Data Breach Investigations Report (DBIR), highlighting the role that the human element plays in cyber threats.

The report examined 30,458 security incidents and 10,626 verified breaches in 2023, representing a two-fold increase from 2022.

More than two-thirds (68%) of the breaches analyzed included a non-malicious human element. In other words, these incidents involved insider errors or people falling for social engineering schemes.

Key Findings from the Verizon 2024 DBIR

  • 32% of breaches included a form of extortion, including ransomware.
  • Between 24% and 25% of financially motivated security events involved pretexting over the past two years.
  • Over the last decade, 31% of breaches involved the use of stolen credentials.

Read the full report

RITC Cybersecurity Comments

When we review stories like this, and they point to human failings involving social engineering, ransomware, or stolen credentials, we know from experience that this typically points to inadequate security training.

This usually takes several forms:

Lack of Understanding of the Importance of Security Training

We still encounter companies that believe they have nothing worth stealing and therefore invest the minimum amount possible in cybersecurity practices.

Inadequate Security Training

Some small to medium-sized companies do not have the budget or staff to maintain up-to-date security training that includes phishing, social engineering, and general awareness.

They often rely on outdated training solutions or internally developed programs. In today’s cybersecurity environment, that is no longer sufficient to prepare employees to deal with cybercriminals.

Infrequent Security Training

Many companies require cybersecurity training during onboarding or annually, but then fail to reinforce it throughout the year.

RITC Cybersecurity recommends conducting cybersecurity training quarterly, especially phishing awareness training.

While that may sound burdensome, there are practical strategies to make quarterly training significantly more manageable than a once-per-year approach.

Featured Blog Posts

Importance of Penetration Testing|Why You Can’t Ignore It

Latest Blogs

How to Prepare for a Threat-Led Pentest: What the Report Won't Tell You If You Get It Wrong
Inside The Ciphered Reality: How AI-Enabled Social Engineering Is Rewriting the Rules of Trust
Beyond CVEs: Why Hackers Exploit Low-Level Flaws Your Scanner Will Never Find