Leading Causes of Breaches Revealed

For an overview of the current cybersecurity landscape, the annual Verizon Data Breach Investigations Report (DBIR) is always worth reading. The 2020 version has just been released and is available here.

2020 DBIR is based on information from across the globe, and draws on analysis of 157,525 incidents. Of those, 32,002 met Verizon’s quality standards for verification. 3,950 were confirmed data breaches, i.e. incidents resulting in confirmed disclosure of data to an unauthorized party. The report is based on incidents occurring in the year up to 1 November 2019.

Here’s a closer look at the most important findings, along with tips on staying secure in the face of the most prevalent current threats…

Table Of Contents

Add a header to begin generating the table of contents

​Who are the threat

  • 70% of data breaches were caused by external actors, i.e. parties from outside the organizations they are targeting.
  • Of these, 55% were categorized as “organized crime”. Note: as the report authors were careful to point out, “organized crime” crime in this context means “criminals with a process”, rather than the mafia.

What are their motives?

  • 86% of data breaches are for financial gain.
  • Stories of industrial and state sponsored espionage get a lot of publicity. But according to Verizon, only around 5% of breaches are motivated by espionage.
  • Other motives (e.g. fun, ideology and grudge) feature in around 2% of breaches.
  • Personal data is still the prime target. 58% of breaches involved exploiting personal data.

How are breaches carried out?

  • The majority of breaches (over 67%) are caused by credential theft. Of these breaches, 37% used stolen or weak credentials and 25% involved phishing. Human error accounted for 22% of these breaches.
  • 43% of breaches involved attacks on web applications.
  • Fewer than 1 in 20 breaches exploit vulnerabilities. But that’s not to say you can afford to ignore those software security updates when you get them. As the DBIR team points out, attackers will try easy-to-exploit vulnerabilities if they’re available, underlining the importance of having a patch management system in place.
  • Ransomware was used in 27% of incidents involving use of malware.

Sector breakdowns

2020 DBIR also includes analysis of data breaches across 16 different industry sectors. This reveals a lot of variation in terms of identity and motivations of threat actors, as well as preferred methods of attack.

Here are some illustrations of those differences:

  • Healthcare is the sector with the highest number of internal bad actors. 48% of healthcare breaches were perpetrated by insiders. In contrast, just 5% of incidents in the construction industry came from within.
  • If you work for a school or college, be especially wary of ransomware attacks. Ransomware was responsible for 80% of all malware-related incidents in this sector, compared to a global average of 27%.
  • In retail, 99% of incidents were financially motivated. In manufacturing, the risk of company secrets being exposed becomes a much more pressing concern. In almost a quarter of breaches in this sector, espionage was the primary motivator.
  • Public sector organizations seem to have improved significantly in identifying breaches. 2020 DBIR shows that only 6% of breaches lay undiscovered for at least a year, compared to 47% in the previous report. This improvement is thought to be linked to the strengthening of the legislative rules on breach reporting.

Trends and Takeaway Points

Credential theft & phishing

For verified data breaches, phishing - i.e. duping victims into disclosing their credentials - is the single most common method of attack. The DBIR group found that in the vast majority of cases (96%), phishing attempts arrived via email. 3% arrive via the target organization’s website, while just 1% were linked to phone/SMS.


  • Filters. Tools to filter or block incoming phishing emails.
  • Training & policies. Train staff on how to spot and avoid phishing attempts and fraudulent requests for information. This includes strict rules on non-disclosure of credentials and on the importance of password strength/uniqueness.
  • Multi-factor authentication. For instance, let’s say a threat actor has managed to obtain a username and password. In the absence of a numerical code sent to the user’s mobile, they’ll still be denied access to the relevant platform.

Web application breaches

2020 DBIR showed that 43% of breaches involved web app attacks, twice as much as last year. This is closely linked to the fact that many businesses have shifted to the use of cloud-based software-as-a-service (SAAS) and cloud storage of data.


  • Do your research. Be careful which cloud service providers you do business with! Reputable providers will be happy to provide verifiable information on the breach detection, monitoring, encryption and other data protection measures they have in place.
  • Network monitoring. This enables you to spot unusual behaviour, (e.g. unfamiliar login locations/times) that might indicate an unauthorized login attempt.
  • Enable automatic updates. These update settings can be especially valuable where you have a scattered workforce. It means that you can be sure vulnerabilities are closed off swiftly, hopefully before threat actors have the opportunity to exploit them.


Ransomware was involved in 27% of incidents involving malware, up slightly from 24% a year earlier. At least one piece of ransomware was blocked by 18% of organizations throughout the year. The DBIR group refers to this type of attack as “a big problem that’s getting bigger”.


  • Regular backups of important files to ensure restoration and business continuity in the event of an attack. Ensure that backups are kept separate from your network.
  • Active filtering and blocking mechanisms can reduce the likelihood of malicious content reaching your network.
  • Lateral movement prevention measures can prevent ransomware and other forms of malware spreading across your organization. For instance, network segmentation involves identifying, grouping and isolating critical systems. It can help effectively quarantine key parts of your network in the event of an attack.

Learn more

What specific cybersecurity threats do you think our business and our industry faces? What measures would you put in place to reduce our risks?

If you’re facing an interview for a cybersecurity job, these are the type of questions you can expect to encounter. To get the know how and credentials you need to be able to answer with confidence, explore our full range of courses here.

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Alishia says:

    Selecting anti-virus software that scans in real-time rather than manually is also important for malware detection and removal.

  • JBP says:

    Hey Nathan. Thanks for adding tips to each incidents listed in this article.

  • j says:

    Excellent article! Those stats really break it down.

  • Bhavesh Gandhi says:

    Still, the infamous phishing attack is leading the pack of breaches. The ransomware attack is increasing YoY. Do we have any robust security controls that we can put in place to prevent the attack?

    • Nathan House Nathan House says:

      Phishing is a complex issue, which is why it’s still successful. It relies on the lack of authentication in email and people clicking things they shouldn’t. It requires a defence-in-depth approach. So you might have technical controls to prevent suspicious email, training for staff, endpoint protect etc etc. In The complete cyber security course I have a section on preventing phishing attacks.

  • KW says:

    Thanks for that DBI report breakdown, that was very appreciated

  • RG says:

    This article is very helpful and well done, thanks so much Nathan!

  • Karl Obayi says:

    Thanks for sharing, Nathan. Provides concrete perspective.

    Karl obayi

  • dkip says:

    Thanks for the info

  • Marty says:

    Thanks Nathan for you research and sharing you good work with us.
    You always have good articles.
    Thanks Again….


  • Mrunali Bagde says:

    As if we connect our laptop to hotspot of mobile device, when we look for details of user mobile as easily available ip, mac details, mobile information.. So for it can we do something to hide our information from getting disclosed?

  • Karan Rao says:

    Hello Nathan, This is by far the most perfect article to convey the upcoming cyber threats. I am an aspiring analyst into cyber security, and thinking of writing an article on current cyber threats. It would be a great help if you could guide me regarding the same. Hoping to get connected with you and discuss.

  • Print ! Hello World says:

    Good read, many thanks for the insights

  • >