Verizon Security Report: 97 Percent of Attacks Were Avoidable

A security report released today by Verizon that studied 855 breach incidents from last year concluded that 97 percent of them could have been avoided by "simple and intermediate controls."

The report also found that 58 percent of these breaches were done by online "hacktivists" -- those who attacked in social protest, retaliation, activism or simply to pull a prank on unsuspecting users. Verizon's report indicated that it's harder to prepare for the next attack in cases where the hacks weren't done for monetary gain.

"Doubly concerning for many organizations and executives was that target selection by these groups didn't follow the logical lines of who has money and/or valuable information," said the report. "Enemies are even scarier when you can't predict their behavior."

Much of the 97 breaches -- especially those that came from hactivists --  could have just been avoided if users kept in mind that if you are online, you are always susceptible to attacks, said Rapid 7's security researcher Marcus Carey.

"Bottom line: if you are vulnerable you can expect to be exploited," said Carey. "The good news though is that this also means organizations can significantly reduce their risk through proper vulnerability management, educating users, and implementing network-based access controls lists."

As for the types of attacks used, Verizon found that incidents that utilized a hacking tool or skill constituted 81 percent of attacks, with 69 percent of those attacks employing the help of malware to pull off the breach.

Verizon said the types of attacks used has changed little over the past few years because hackers continue to get the same results with known attack vectors.

"We have seen nothing new," said Verizon analyst Marc Spitler. "Some of the old standbys are continuing to work very well for the people going after information."

While Verizon found that the majority of incidents studied were caused by hacktivists, it noted that the more traditional attacks from criminal organizations were focused on smaller corporate targets in 2011.  The report found that attacks on businesses in the accommodation and food service industries made up 54 percent of the 855 breaches studied. It found that 85 percent of those businesses employed less than 1,000 personnel.

"Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well," the report explained. "Thus, the number of victims in this category continues to swell."

Attacks against small corporations consist mostly of using malware and finding vulnerabilities in Web sites. By contrast, when larger companies are attacked, the hacks tend to be done using phishing and social engineering.

It's important to note that Verizon only studied breaches that were reported to local and federal law enforcement agencies. The report acknowledged that a majority of attacks, especially against large corporations, are never disclosed.

About the Author

Chris Paoli is the site producer for and


  • Exchange Server June Cumulative Updates Arrive, but with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • AI-Driven Solution Tracks Packets Through the Datacenter

    Datacenter solutions vendor Kaloom this week unveiled a new offering the company says will enable the development of "self-driving" datacenter networks.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.