June 24, 2019

Cybersecurity Surprises In The Verizon Data Breach Investigations Report

Archit headshot
Archit Lohokare Chief Product Officer
Verizon surprises

Every year, Verizon publishes its Data Breach Investigations Report, one of the most prominent and respected reports in cybersecurity. This year, the 2019 report was the most extensive piece of research to date, offering findings based on analysis of 41,686 security incidents, including 2,013 breaches. The report is required reading for all in security, including those of us focused on identity and access management. Historically, the report has confirmed what we at Idaptive preach – that lost or stolen credentials are the number one cause of breaches. Now that the dust has settled following publication, I’ve compiled my lists of what surprised me in the 2019 report, and what did not.

What Surprised Me:

Hacking vs Social Attacks

The report notes that 52% of breaches feature hacking, while only 33% involved social attacks. This reverses the trend seen in recent years. A significant percentage of breaches tended to be driven by social attacks and the reason why this could be lower today may be attributed to end-user organizations having broader knowledge of how to prevent these types of attacks. People are now better at looking at websites and certificates to see if the URL actually matches. People are also – finally – starting to think twice about entering passwords in a website that has been sent in email. Anti-Spam and Anti-Phishing technology have gotten better, and email service and server security tend to filter more efficiently than a decade ago.

While this change in the trend did surprise me, it makes sense given the evolution of the industry.

Executive Weak Spots

Executives were 12 times more likely to experience a social engineering incident. While the fact that executives are targeted isn’t surprising, the fact that they are successfully victims of social attacks is surprising. Social engineering and social attacks tend to be conceptually simpler, and one would hypothesize that it would be harder to successfully reach an executive. It is surprising that these social attacks do in fact, succeed.

This leads me to believe that education of C-level executives around healthy practices and good cyber hygiene, and in terms of how to control access to critical information using the right security controls, is still extremely important. Information and insights from a user’s real world identity, achieved through integration of IAM systems with identity proofing and corroboration systems should be used when making the judgment to step up authentication or not.

Small Businesses Big Breach

The common perception is that there isn’t necessarily a lot of high value data and information centered in small businesses, so it was surprising to see that 43% of businesses affected by breaches came from this category. Targets of breaches typically tend to be larger enterprises, big banks and financial institutions who tend to have significant customer PII and other types of data. There is simply more to gain from these targets.

Identity theft and information theft are no longer just about getting high value information from a small number of people or organizations. Hacking and stealing PII data is now a volume game, and hackers seem to also go for a medium value of information from a large number of organizations.

Why would a hacker want to go after a “Mom and Pop” shop? One wonders what can be achieved by going after this data. But as you see more and more of these small businesses build up their online presence, transition to digital business models, it’s only natural that hackers see an avenue to go after then. To me, this seems like a wake-up call to smaller businesses, especially those that under-invest in technology based on a false sense of security. Being small will no longer be enough to keep you safe.

What Did NOT Surprise Me:

Privilege Abuse Continues

No surprise here, privilege abuse continues to be the biggest reason why breaches and incidents happen. Traditionally, insider threats and privilege abuses have been one of the most common reasons for a breach and it continues to remain so.

Types of Assets Being Compromised

The single most breached assets tend to be things like email servers or database servers. Email servers contain a lot of information, including confidential communications between people. It can contain financial data and security data. It can have executive level communication information. It continues to make sense why people target email servers as a primary asset. Databases also contain loads of information, including, potentially, credit card numbers.

Hackers know what assets will result in the biggest financial gain, and so it’s not surprising that these are the types of assets most compromised.

Go Phish

In the last few years, phishing, and spear phishing specifically, have become the most common way of getting information. As the authors of the report conclude, the design of mobile devices and how the users interact likely contribute to this. The good news was that users tend to report clicking on phishing emails quicker than in years previous.

2020 Vision

The Verizon 2019 report demonstrates progress being made in the world of cybersecurity, but much can still be done to prevent breaches. Seemingly simple recommendations like reiterating good cyber hygiene tactics to employees and implementing multi-factor authentication solutions are good places to start. This calendar year has already been rife with security incidences and breaches, and I eagerly await Verizon’s analysis for the 2020 report. What will surprise me from the 2020 Verizon report?

Archit Lohokare

Archit headshot
Chief Product Officer

Archit Lohokare is Chief Product Officer at Idaptive, where he is responsible for product strategy, driving innovation, and bringing new products and services to market. He transitioned over to Idaptive as it was spun-out from Centrify, where—as Vice President of Product Management—he led the Identity-as-a-Service (IDaaS) and Unified Endpoint Management product portfolio. Prior to Centrify, Archit was Vice President of Products at Optymyze, where he led the product management team responsible for the company’s Sales Performance Management and Sales Platform-as-a-Service SaaS and PaaS solutions, securing a Leadership position in the first Gartner Magic Quadrant report on Sales Performance Management along the way. 

Earlier in his career, Archit led Symantec's Cloud Information Protection Security-as-a-Service offering, and IBM's Access Management product line, comprised of Web Access Management, Identity Federation, Enterprise Single Sign-On, and Risk-based Access and Entitlements Management products. Archit joined IBM through the acquisition of Encentuate, a leading Bay Area start-up in the security software space; as an early employee, he had the opportunity to contribute to its successful exit. 

Archit has an MBA from UC Berkeley-Haas School of Business, and a bachelor’s degree in Computer Engineering from NTU, Singapore, where he was awarded the SIA-NOL undergraduate scholarship by the Ministry of Education, Singapore.

Archit is an avid history buff, enjoys reading in his spare time and running breathlessly after his one-year-old, hyperactive son.


If Archit could have any Chameleon-like superpower, it would be the ability to change colors quickly and adapt. “Actually, it would be like the ability of our IAM solutions to adapt instantaneously to a customer’s environment and user behavior. Anomalous user access? A snap! Presto, change-o – like a chameleon from green to red in an instant, adapt to the change in user behavior and request user to assure their identities using multi-factor authentication...”