Actionable Insights from the Verizon 2021 DBIR

by Security Centric, on 10/06/2021 5:06:25 PM

It’s always a great day for someone who loves reading reports when the annual Verizon Data Breach Investigation Report (DBIR) gets released. However, we know not everyone enjoys reading 119 page reports. In fact for many they often wind up creating more confusion than they help solve if you’re unsure of how the information impacts your organisation.

So we’ve taken some time and examined which areas of the report might be useful to organisations looking to understand where to steer their cybersecurity strategy (and the all important budget) for the upcoming financial year.

Click on a topic in the table of contents to take you straight to the parts you're most interested in.

  1. Overall Important Information
  2. Asia Pacific (APAC) as a Region
  3. Organisations Under 1000 Employees
  4. Public Administration and Government
  5. Healthcare
  6. Professional Services
  7. Manufacturing

This post will be updated over time with additional insights so keep checking back if you don’t see your industry listed here yet - or contact us to have a chat about what types of information security activities you may want to consider.

Interested in reading the full report? You can find it here:

Overall Important Information:

  • The 2021 Verizon DBIR examined 29,207 incidents, with 5,258 of those being confirmed breaches.
  • The report found that the changes to remote working, as well as the move that many organisations made in moving their infrastructure and data to the cloud, contributed to a 33% increase in breaches analysed as compared to last year.
  • Overall, the report indicated that a strong focus on fundamentals was a crucial aspect of ensuring organisations were secure and able to defend against a possible breach.

Asia Pacific (APAC) as a region:

The DBIR examined 5,255 incidents, 1,495 of those with confirmed data disclosure. Of all the regions surveyed, APAC saw more breaches last year than any other region.

  • Public Administration (Government, state and local councils, etc) saw the highest number of breaches, followed by Mining, Professional Services, and Education.
  • Threat actors were mainly external at 95%, with insider threats sitting at 6% for breaches specifically.
  • Motives included Financial (96%), Espionage (3%), and Fun (1%).
  • Top attack patterns included: Social Engineering, Web Application Attacks, and Miscellaneous Errors.
  • The overwhelming data that was compromised were credentials at 96%, which were then used to escalate or laterally expand the attack, or otherwise utilised to gain access to web applications belonging to the organisation.

Recommendations: Security awareness training and Simulated Phishing (for social engineering) , Web Application Penetration Testing (for web application attacks), Cyber Security Maturity Assessment (for misconfigurations).

Organisations under 1000 employees:

It’s important to note here that the DBIR splits this section into either under or over 1000 employees. What’s interesting in this year’s analysis is that the number of breaches in organisations both over and under 1000 employees were significantly similar, indicating that the traditionally higher financial gain from breaching larger companies has shifted to the generally less security mature smaller organisations. The attacks seen in smaller organisations also mirror those seen in larger organisations, so the old “security by obscurity” mantra no longer applies.

Approximately 50% of breaches were discovered only after weeks, months, and years had passed, indicating that a better implementation of detection-based security such as a SIEM solution would help organisations with less than 1000 employees detect and respond to incidents.

  • External Actors accounted for 57% of breaches, while inside threats accounted for 44%
  • Financial motives were came in at 93%, with espionage at 3%
  • Top patterns seen were system intrusion, miscellaneous errors, and basic web application attacks - accounting for 80% of all breaches.
  • Credentials were the top data type compromised at 44%, with personal coming in second.

Recommendations: SIEM Implementation (detection and prevention), Network Penetration Testing (System intrusion); Cyber Security Maturity Assessment (Miscellaneous Errors), Web Application Penetration Testing (web application attacks).

Public Administration and Government:

Worldwide this industry saw 3236 incidents, 885 with confirmed data disclosure, and the over and above “winner” for attack types was social engineering attacks - specifically phishing. Misconfiguration and misdelivery of emails were a distant 2nd and 3rd, however given that government organisations typically send a significant number of emails, this information is still important when it comes to privacy issues.

  • Threat Actors are predominantly external at 83%, and they’re motivated by financial gain (96%).
  • Credentials made up 80% of the data that was compromised and these were often used to further the malicious actor’s presence inside the network.

Recommendations: Unsurprisingly security awareness training including simulated phishing is the top recommendation here, followed by access control management reviews (good access control management prevents excessive access to systems and data in the case of credentials being compromised).


Unsurprisingly, 2020 saw the healthcare industry predominantly be targeted by financially motivated groups, with the method of attack predominantly being ransomware. In a twist, the type of data that was most compromised was personal data, not medical – in some ways this is to be expected given the higher level of security required to be in place for medical data.

  • Incidents for this sector numbered 655, with 472 of those being confirmed breaches.
  • External threat actors outnumbered insider threats, at 61% to 39%.
  • The top methods for compromise were miscellaneous errors, misconfigurations, and basic web application attacks.

Recommendations: Ransomware Protection, Security awareness with simulated phishing, Secure configuration/hardening and access control management.

Professional Services:

The professional services group as determined by the industry grouping system the Verizon DBIR uses (NAICS) is incredibly broad. Many organisations will fit within this segment, such as:

  • Legal, accounting, architecture, engineering, landscaping, surveying and mapping, testing laboratories, interior design, graphic design, Computer system design, computer software, Computer programming services, Management, Scientific, and technical consulting, scientific research and development services, advertising and public relations, photographic, veterinary, and more. For a full list, see the NAICS classcodes list here.

Even though this segment is broad, there are similarities across them that include relying on internet connected infrastructure, and their risk of being targeted by malicious actors getting into their systems, stealing data and credentials, and then leaving behind some ransomware. The double dipping of data exfiltration as a secondary blackmail source for payment has become a regular occurrence with a ransomware attack.

  • This sector saw 1,892 incidents with 630 confirmed data disclosure breaches.
  • The top methods of attack were system intrusion, social engineering, and web application attacks – representing 81% of breaches.
  • External actors made up 74% of breaches and Insider threats made up 26% of breaches.
  • 97% of incidents were financially motivated.
  • Credentials made up 63% of compromised data, with personal information at 49%.
  • Phishing was the leading social engineering tactic used to target this sector.

Recommendations: Security awareness and simulated phishing (as well as ransomware protection), access control management (good access control management prevents excessive access to systems and data in the case of credentials being compromised), secure configuration reviews/hardening of assets and software.


This industry was beset by social engineering attacks this year and according to the DBIR, it saw a significant increase in breaches caused by ransomware, with 61.2% of breaches caused by this type of malware. Threat actors for this vertical used primarily phishing attacks, with hacking using stolen credentials followed by further credential compromise or malware uploads coming in second.

  • 585 incidents overall, with 270 of those resulting in a breach
  • Threat actors were mainly external at 82%, 19% were insider threats.
  • 92% of the breaches seen were motivated by financial gain (unsurprising given the ransomware attacks).
  • Personal data (66%) and credentials (42%) were the main data types compromised, but payment data was too at 19% which is concerning.

Recommendations: Ransomware protection is hugely important for this vertical, with security awareness and simulated phishing as a part of that activity. Making sure that any compromised credentials can’t lead to excessive further compromise can be achieved by implementing correct access controls and configuration hardening.

We'll continue to update this blog with additional industries over time. Keep checking back with us over the next few weeks, or feel free to chat with one of our consultants to talk about your security needs now.
Topics:data breachVerizon DBIRReport Roundup


Finally, an actionable blog

The purpose of this blog is to make available the real-world lessons, experience, observations and mistakes that are part of the daily life of a group of cyber security professionals.

Read about:

  • What mistakes organisations are making (anonymously of course!)
  • What effective actions are available to quickly and economically achieve effective protection (without buying new kit)
  • Trends we're seeing, via our incident response and forensic investigation capabilities
  • And sometimes, just frustrations about what is wrong with cyber :|

Subscribe to Updates