By Karen Sprenger   /   Jun 28th, 2022

Top Takeaways from the 2022 Verizon Data Breach Report & How to Reduce Your Risks

Verizon data breach report 2022 imageAll of us at LMG Security were honored to once again be a contributor to Verizon’s Data Breach Investigations Report (DBIR). If you haven’t had a chance to look at it, I highly recommend giving the 2022 Verizon data breach report a read. Not only does it provide great information about the state of cybersecurity, but the team who creates it keeps the report itself interesting and entertaining. In other words, it’s one of few industry reports that I can’t use as bedtime reading. In case you haven’t had an opportunity to read it yourself, I’m going to give you a high-level overview.

One note before we begin. Keep in mind that any industry report is limited in that they can only analyze and provide insight into the data available to them. Currently, there is no centralized way to track data breaches across industries, countries, states, etc. So, the data in the 2022 Verizon data breach report is limited to what was reported to Verizon. That said, they analyzed 23,896 security incidents, so they are drawing from a good-sized pool. Keep in mind that the data analyzed is from 2021.

Some Background on the Verizon Data Breach Report

The first Verizon data breach report was released in 2008, making this the 15th anniversary edition of the report. (Can that be right? I mean the 1980s were only 20 years ago, right? Right?!?) Anyway, one of the features of the DBIR this year is that Verizon uses the opportunity to share data from previous years’ reports, and it’s definitely interesting to see what has changed and yet, what remains the same. For example, in 2008, 73% of data compromises came from external sources and in 2021, 80% still come externally. However, in 2008, 39% of breaches came from partners, while in 2021, less than 5% were from partners.

Key Takeaways From the 2022 Verizon Data Breach Report

No surprise to our team, ransomware is on the rise, growing by 13% over the past 5 years, and it contributed to 25% of incidents in 2021. The most common errors reported were related to cloud misconfiguration and contributed to 13% of the attacks. Regardless of incident type, 82% of incidents involved the human element.

How Are the Criminals Compromising Networks?

The 2022 Verizon data breach report breaks access down into four methods by threat actors. In order of likelihood:

  • Credentials
  • Phishing
  • Exploiting Vulnerabilities
  • Botnets

These are the areas that should be prioritized when securing your infrastructure, so let’s look at each briefly.


Whether credentials are harvested, stolen, purchased on the dark web, or guessed, according to the 2022 Verizon data breach report, cybercriminals used credentials to access nearly 50% of the organizations that were breached in 2021. If you’re a regular reader of our blog, you may already know what I’m going to say next, but these tactics are crucial and bear repeating.

Here are strategies you should use to protect your organization against attackers who gain access by using valid credentials:

  • Require strong passwords of 16 characters or more, encouraging users to think in terms of passphrases such as song lyrics, movie quotes, or even four random words. Complexity (such as adding special characters) is not as important as length. Plus, spaces and punctuation are special characters. We have a blog on the data behind password lengths that is worth a read.
  • Don’t reuse passwords across different services or accounts. If a service such as LinkedIn has a data breach, the passwords will be readily available for purchase or free download on the dark web. Criminals will try those compromised credentials against other sites.
  • Don’t use shared passwords for any accounts but especially for privileged accounts like local administrator or service accounts. If a criminal gains access to the password, they not only have elevated privileges, but access to any system using that shared password.
  • Implement multi-factor authentication (MFA) through an authentication app. Even if a criminal gains access to valid credentials, those credentials are not enough to gain access so long as MFA is in use. Read our MFA overview and best practices tip sheet for more information.
  • Provide access to a password manager like Dashlane or LastPass and train your users to use it. Our brains weren’t designed to remember 200-300 unique passwords, so let an app do the heavy lifting.


According to the 2022 Verizon data breach report, criminals continued to send emails in an attempt to trick users into clicking links, opening attachments, or providing information (like credentials), contributing to about 20% of compromises in 2021.

Help your users out by:

  • Employing robust spam filtering
  • Blocking unnecessary attachments
  • Stripping known malware from email messages
  • Providing regular training to teach users to recognize phishing
  • Tell users what to do if they make a mistake and fall for a phishing email

While the first three items will provide levels of protection, we all know that no filtering or blocking is 100% accurate and bad stuff still gets through, so training is still necessary and important. Even more critical is letting users know what to do if they make a mistake. We are all human, and we all make mistakes. In the case of phishing, self-reporting those mistakes as soon as they happen allows the organization to implement extra measures (such as password resets or system isolation) to limit the damage. For more information on phishing, read our phishing blog series and download our tip sheets on phishing prevention and how to spot a phishing email.

Exploiting Vulnerabilities

In 2021, we saw that one zero-day vulnerability in key software or the supply chain can lead to a large-scale compromise with hundreds or thousands of victims. While only contributing to about 10% of compromises, we anticipate that number will continue to grow—in fact, it earned a spot on our list of the 4 Top Cybersecurity Threats for 2022.

To protect against vulnerability exploits, organizations should:

  • Create an inventory to document the software and systems in use and ensure you can access it quickly in the event of a zero-day vulnerability.
  • Maintain a robust patch management program. Patches should be applied in an automated fashion, and as soon as feasibly possible. As soon as a zero-day becomes known, cybercriminals begin scanning for exploitable systems. Patch fast. Watch our 3-minute video on patch management tips.
  • Talk to your vendors about providing a Software Bill of Materials (SBOM) so that you know what underlying tools, software, or components are a part of their solution. You can’t patch what you don’t know is present. Read our blog on why and how to incorporate SBOMs into your cybersecurity strategy for tips on how to move forward.


As many of you probably know, botnets are large groups of computers that are being controlled by a cybercriminal group. In most cases, the computer’s user is not aware that it is part of a botnet. The activity is taking place in the background and may not impact the system at all. Botnets are primarily used for Denial of Service (DoS) attacks. While the 2022 Verizon data breach report found that these were used in less than 5% of attacks in 2021, a DoS attack can result in a system or network becoming unusable and lead to a lot of unhappy customers! The best way to prevent or prepare for DoS attacks is by using a service like CloudFlare, and/or maintaining redundant Internet connections (through separate providers and separate relays) if possible.

In Closing

Cybersecurity incidents will continue to happen. However, by educating ourselves about the most common attacks and understanding how to protect our organizations, we can successfully reduce the likelihood and the impact of an attack if it does happen. At LMG Security we are passionate about helping our clients build robust security programs to address all areas of risk. Contact us if you need help with technical testing, cybersecurity solutions, advisory services, training, or incident response. We’d love to work with you.

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She has more than 25 years of experience in cybersecurity and information technology, and she is a noted cybersecurity industry expert, speaker, and trainer. Karen is also the co-author of a new book, Ransomware and Cyber Extortion: Response and PreventionShe speaks at many events, including those held by Wall Street Journal Cyber Pro, Fortinet, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen is a GIAC Certified Forensics Examiner (GCFE) and Certified Information Systems Security Professional (CISSP) and holds her bachelor’s degree in music performance (yes, really). In her spare time, Karen considers “digital forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” A lifelong Montanan, she lives in Missoula with oodles of poodles.