Close this search box.

The 2020 edition of the Verizon Data Breach Investigations Report (DBIR)

EP 61: The 2020 edition of the Verizon Data Breach Investigations Report (DBIR)

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

September 1, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, do a quick analysis of the 2020 edition of the Verizon Data Breach Investigations Report.


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at and

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Hey, Jake. We're going to look at the latest version of the Verizon Data Breach Investigations Report. This is the 2020 edition, and what I want to do is check it out and see what can we learn from this mountain of data.

Jake Bernstein: Sounds good. I love the DBIR, as it's known. This is the 13th edition, so it's been going on since what? 2007? And it's disturbing to me that 2007 is 13 years ago. But, nonetheless, I remember reading this for the first time, probably in 2014 or '15, and just really being blown away by all the information that they had. And also I had no idea that Verizon did this kind of stuff. So, if anyone's wondering, Verizon does run their own kind of forensics investigatory unit, and that's what we're talking about.

Kip Boyle: It's quite the non-sequitur, which is my word of the day, non-sequitur. And I remember when it first came out, I remember reading the first one and also being blown away because that was what everybody was complaining about was, where is the data. How can we make decisions if we don't have data? And somebody at Verizon went, "Oh, we have data. Let us crunch it for you and let us share it with you for free." I mean, this is an amazing act of generosity, if you ask me.

Jake Bernstein: It really is.

Kip Boyle: Yeah. And the issue now though, is that the report is pretty mature. Right? It's a 13-year-old report. It's entering its adolescence. But it's much better than the first ones, but still, it can be impenetrable to people who are not used to it. It has its own sort of patter, and rhythm, and style, and it can be difficult to decipher. It's 119 pages this year, and it has a ton of technical jargon. So, I thought it would be nice if we could tease out some of the most interesting and useful information, share it with the audience, and then wrap up with kind of like, so what. What does this mean? I mean, it's certainly interesting. It's fascinating.

I mean, the data analyzed is bigger than ever. Every year they seem to have more data. This report has almost 4,000 confirmed cybersecurity data breaches, and those were culled from over, check this out, 157,000 data security incidents worldwide. So, it's not North America restricted. This is from everywhere. And so, whoever you are in our audience, wherever you happen to be, and we know that we've got international listeners, there is something in this report for you, I can just about guarantee it.

Jake Bernstein: Yeah. And this newest version of it is really great because right away on page four, they provide the DBIR cheat sheet, which I think is really helpful. This is a really impressive thing that Verizon is doing. By the way, this is not a sponsored show. Verizon has not paid a dime for this.

Kip Boyle: Nope, we just admire their report.

Jake Bernstein: We just admire this report. And I think it's really great because one of the things they've also given away is the VERIS, which is the Vocabulary for Event Recording and Incident Sharing. That's talked about in the cheat sheet as well.

Kip Boyle: And it's commendable. [crosstalk 00:04:14].

Jake Bernstein: Kip, how does one download this?

Kip Boyle: Well, so you do have to give them your email address unless you've got some really good Google Kung-Fu, and it's possible to find it without giving them your email address. But I'll tell you what. I've given them my email address every year, and they have never abused that trust.

Jake Bernstein: Yeah. I agree with that.

Kip Boyle: So, just give them your email address because I think what they're doing with that isn't marketing to us. What they're doing is showing their senior decision-makers, "Look, we have a big audience. Look, people are paying attention to us. Continue to fund this." Because guess what? Verizon's paying. I've got to imagine they've got a big budget for this. And if they can't show that they've got an audience, they may lose that budget someday. So, let's not do that because this is a treasure. It absolutely is a treasure.

Jake Bernstein: It is.

Kip Boyle: One of the things that I love the most about it is I'm very interested in data visualization. I'm just one of those people. I love to see a picture. I love to see a chart but it's got to be good. Right? I don't want to see these cruddy three-dimensional monstrosities that I often see people making because they're starting out. Right? I mean, it's just like beginner graphics. Those are kind of hard to look at.

But what I love about this report is every year they put a ton of effort into data visualization and they conduct a lot of experiments. They're always trying to figure out new ways of visualizing the data, which I commend them for. But I also have to say that there's been a couple of years where I don't understand what they're doing at all with their visualizations. So, I'm like, "Well, dang it, this is a year where I don't get it, and I'm just going to have to read the text." But I just want to commend them for being willing to take a risk and try to figure out new ways of helping us understand because as I said, it's an absolute mountain of data and the jargon, VERIS, and I mean, you have to have that when you're doing deep analysis. You cannot have muddled terms. Right? You can't have that kind of ambiguity.

So, one of the biggest things that everybody has to understand to read this report is the following, all data breaches are incidents, but not all incidents are data breaches. So, just keep that in mind because the report goes back and forth with analyzing the data. And sometimes they'll say X percent data breach or X percent incident. And that's probably the thing that I think trips most people up is trying to keep that straight in their mind.

Jake Bernstein: It does. And I think, as a lawyer, I love definitions because definitions are everything in the law.

Kip Boyle: Well, you guys are like the ultimate wordsmiths, I think.

Jake Bernstein: Well, it's true. In a way, it's kind of like programming or math but with words. We will often set up equations, and variables, and statements. Incident means this. Breach means this. You see a lot of, for purposes of this paragraph, this word means that. But it's really important. And I think here for the DBIR, it's worth just quickly going over what it means. You accurately state that they are splitting everything into incident and breach. And an incident is a security event that compromises the integrity, confidentiality, or availability of an information asset.

Kip Boyle: It's a bad thing.

Jake Bernstein: It's a bad thing. A breach is more specific. It is an incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party. So, that's a really, really critical definitional idea for this. And one of the other things I just wanted to point out really fast is that you might think, "Oh my god, 119 pages of Data Breach Investigations Report." I will say that these guys who write this, they have a very witty, humorous, somewhat irreverent style, and it's actually fun to read. Like, it is actually not that bad. One of these first footnotes is check new chart who dis. It's that kind of light humor throughout that I think makes this such a treasure beyond just the data itself. It's actually entertaining. And they probably do that because, let's be clear, it is ultimately a Data Breach Investigation Report that's 119 pages.

Kip Boyle: Numbers, numbers, lots of numbers, stats, stats.

Jake Bernstein: Stats. Lots of stats.

Kip Boyle: We're going to share some of those stats with you today.

Jake Bernstein: We are.

Kip Boyle: Are you ready to dive into it?

Jake Bernstein: Yeah, exactly. Let's dive in.

Kip Boyle: Okay. So, many things caught my eye, and so let's just get a few of them out there. So, here's something that I thought was notable. 70% of the data breaches in their data that they analyzed was caused by external actors. And 30% of the data breaches were caused by internal actors. And that's a shift. I think in the not too distant past, the mix was more like 50/50, but the external actors have absolutely pulled ahead.

Jake Bernstein: Yes, they certainly have, which is not really surprising.

Kip Boyle: I don't think so. That lines up really well with the news headlines that I've been seeing, other reports that I've been reading, conversations with law enforcement, and so on. Yeah, I think that's a solid, believable statistic.

Jake Bernstein: I do want to point out one thing. Just because 70% is external, that still leaves 30%, three in 10 incidents as being caused or involving internal actors. That is, honestly, what's more surprising to me in some ways is that it is still that high. That means that there is an awful lot of potential inside action going on, and that's a problem.

Kip Boyle: It is a problem, and that's a management issue, pure and simple. So, management has to be sure that they're screening the people who come to work for them to make sure that they're not bad actors from the beginning. And they need to make sure that they're offering a hospitable work environment, not a lounge. Right? I'm not suggesting like workers should be pampered and expected to do nothing, but a hostile work environment or one that is very oppressive, I think is a breeding ground for bad actors, bad internal actors. But other things can happen too. Like, somebody can come to work for you, and then in five years later, unbeknownst to you, they get a DUI, they get divorced, crushing legal fees, and other terrible, heavy financial burdens and, all of a sudden, they're desperate.

And so now they're looking, like, "How can I raise cash? Can I sell some of this data that is lying around everywhere where I work?" I don't know. I mean, so people can change without you realizing it. And again, that's a management issue. How can you detect those things? In the Air Force, by the way, just to tell you, we have a zero through 10 scale that we use when we do work, and eight is like the mythical perfect security state that you can be in. And if you want to know what an eight looks like, then maybe crossing over into nine territory, which is too much security. But in the Air Force, if you're a missileer, like if you're a person who sits in a hardened bunker and they toss the keys to you and your colleague, and they say, "If you ever get the launch order, like we're counting on you," so those people go through a regular personnel reliability screen specifically designed to detect things like I just described.

Now, I don't know if that's appropriate for your organization, but I just want to point out that if you need very high security, you may need to do something like that. Some kind of like an annual credit check or something, I don't know. Think about it.

Jake Bernstein: Yep, very much so. So, let's go ahead and take a look at what some of this information is. I mean, this thing is rich. It is so full of data, it's ridiculous.

Kip Boyle: Yeah. So, continuing on the theme of 70% of the breaches were caused by external actors, organized criminals, organized cybercriminals caused 55% of all data breaches. And in this context, just to be clear, an organized criminal is really more like a nerd and less like Tony Soprano or Scarface, which is to say that they have a process that they're following and they coordinate activities. You know what I mean? Like, do you see the difference? I mean, I know there's a digital Tony Soprano out there somewhere, but when we say organized crime in this report, we're just saying like, "Oh, they look like us. They go to work every day." Right? They have a well-lighted workspace with a benefits program and a payroll to meet. Right? That makes sense.

Jake Bernstein: Yep. Exactly. Well, and I think it's important too, to point out that 86% of breaches were financially motivated. So, we're talking the vast majority is about money. So, let's be clear about that as well.

Kip Boyle: Oh yeah. Yep. It's absolutely about money.

Jake Bernstein: That makes sense, given that that organized cybercriminals are causing 55% of all data breaches, to begin with.

Kip Boyle: Yeah. So, what is this telling us? Well, it's confirming something that we've already been seeing, which is we've got this existential threat going on out in the world where highly organized people who are sitting down at their desk and saying, "I want to steal money. This is my profession, and I want to do it systemically, and I want to do it using the internet and taking full advantage of every advantage that the internet will confer upon me." And one thing that I tell people when I'm trying to get them to understand this is I say, "Look, every technology that Jeff Bezos has that he uses to terrorize Walmart and to try to steal their lunch, well, the cybercriminals have all that too. And that's what they're using in order to steal from us."

Jake Bernstein: Yes. One thing I want to talk about right now because I think it's really useful early on is that, looking at page nine of the DBIR, and I really encourage people to take a look at what is labeled figure six because what it does is it breaks down the action varieties involved in breaches over time. And the reason I'm bringing this up right now is that there are... So, if you look at the top four kind of actions this year, or actually, let's go back to the very beginning. So, in 2015, when they are giving this kind of data, you had malware social, which is phishing attacks, Trojan viruses, and then hacking, and then malware.

Now, today in 2020, you still have phishing and then use of hacking, which is what they call the use of stolen credentials, is second, but then you have misdelivery and misconfiguration, and those are both classified as errors. And let's think about that for a second. What that means is that two, or I should say of the top four items, two of them are errors, are internal mistakes. That is really, really interesting. And also those have risen dramatically over the past few years.

Kip Boyle: Yeah, yeah, absolutely. Again, it's a management issue. Right?

Jake Bernstein: Yes.

Kip Boyle: So, are we as managers providing the correct standard operating procedures? Are we allocating enough time and resources for people to do the job correctly? Because when I think about errors as a manager, what I think about is people just working too fast, cutting corners, not really understanding what they're doing, and just winging it. Right? So, and why are they doing that? Because they're under a lot of pressure, I would think.

Jake Bernstein: And I would say a lack of process. I personally have witnessed in recent months several incidents, not necessarily exactly the kind that would be reported in the DBIR, but incidents, nonetheless, that were caused by error. And in those cases, it was a lack of process. This is worth spending time on because what it does is it highlights, for anyone who reviews it, the trends. Really, regardless of the size of your company, there is something of value here. I think every cyber professional really owes it to themselves to review this report each year.

Kip Boyle: Oh, absolutely. Because things change and they're getting better at analyzing the data, and we should not be making major cyber risk management decisions based on the news headlines.

Jake Bernstein: Absolutely not.

Kip Boyle: Like, we should watch that. Of course, we should watch that, but we should be trying to make decisions based on what's actually going on because a lot of the stuff that goes on in the world isn't newsworthy. Right? Like, you were just pointing out, like errors, misconfigurations. Like, I can't remember the last time I saw a news headline that was sensational about the fact that somebody mistyped an address and that resulted in a data breach. I mean, that's the reality but it's not newsworthy. So, don't be fooled by these large, blaring, red-lettered headlines and figuring out what your cyber risk strategy is based on that.

So, this is, again, just wonderful report. And now let's turn our attention back to the cybercriminals because they're not under our control. See, that's the thing. We've got internal actors who are causing some of the problems and management has control or has direct influence over that. But the outsiders, not so much. And the outsiders are operating with near impunity right now because we don't have an effective police force, criminal justice system, and so forth that can reach beyond the borders of our country or really, any country. Right? That's a big issue. And so, I love how the DBIR tells us what are cybercriminals doing to cause all those data breaches that they're responsible for. And this is shockingly simple, but also shockingly easy to deal with. They're doing it by stealing credentials. And there are billions of credentials floating around in the so-called dark web or they're brute-forcing the user IDs and passwords, and they're breaking into internet-facing web applications. It's just as simple as that.

Jake Bernstein: Yes, exactly.

Kip Boyle: And so as cyber risk managers, Jake, what do we do? What do we do about that? It's easy.

Jake Bernstein: Is it? Well, why don't you tell us?

Kip Boyle: Multi-factor authentication

Jake Bernstein: Multi-factor-

Kip Boyle: Multi-factor authentication. Yeah. Yeah. We need to get our 2FA going and it's widely available. The number of sites that have two-factor authentication available to be turned on greatly outnumbers the ones that do not, and that's been a shift that's been a long time coming. So, if you don't have multi-factor authentication turned on everywhere right now, and particularly for internet-facing web applications, this should be a top item for you on the next budget cycle.

Jake Bernstein: Absolutely. Do it now. It's not even... There's really no...

Kip Boyle: Get a pilot going immediately. Right?

Jake Bernstein: There's really no excuse not to have multi-factor authentication in place.

Kip Boyle: Start a pilot. Yep. Start a pilot. This is going to cure a lot of ills. It really will. And like Microsoft Authenticator, just to pick one, super, super easy to use these days. When you try to authenticate and you need to prove with a second factor of authentication, you don't have to sit there and type a code in. You can configure it so that it will just pop up a message and say, "Hey, somebody's trying to authenticate with your account, is that you? Approve or deny." You just tap on the button. Now, there can be issues with that. Like, people getting prompted for a approve or deny and not realizing that they weren't the ones who initiated that. So, you could still get into trouble, but it's easy. I mean, these things are very easy to use these days. So, get a pilot going right away.

Jake Bernstein: Exactly. Just in case it's not clear, we don't want to forget about our good friend, phishing. Use of stolen credentials, which the report labels as hacking, which is what we're talking about and what multi-factor authentication can prevent, is still second place. First place remains phishing, which is, really, a social engineering attack. The best way to combat that is security awareness, training. I mean, the problem with phishing is that there's so many different ways to do it, and so many different ways to take advantage of a successful phish that trying to come up with a technical solution is, we'll just say, incredibly challenging.

Kip Boyle: It's very difficult in terms of trying to scrub the inbound email stream to identify the phishing. It's super difficult. Because why? Because the attackers are constantly innovating how they do it. And if you're subscribed to Microsoft 365, or G Suite, or one of these big email service providers, well, you can bet that the organized criminals also have a subscription. And what they're doing is they're constantly engaged in black-box testing. Right? So, they're like, "Okay, let me send this message out. Does it get through? Let me send this message out. Does it get through?" Right? So, they are endlessly playing a cat and mouse game with these very large email service providers. And it's inevitable. No matter how much you tighten down the screws on filtering your email, stuff's going to get through. I mean, they have every incentive and they have all the money they need in order to black-box test the heck out of this.

So, what we recommend to our customers is actually make clicking on a link in a phish irrelevant by implementing application whitelisting because the goal of most phishing attacks is to land a piece of malicious code on your computer. And if you're whitelisted your applications then when it lands on your computer, chances are it's not going to run. It just won't be able to execute. Your computer won't allow it

Jake Bernstein: Well, and one thing, I mean, not to get into a host to host argument about this, but keep in mind too, phishing is also to get credentials so that they can then hack.

Kip Boyle: Of course, yeah.

Jake Bernstein: So, application whitelisting isn't going to prevent someone from typing in their information.

Kip Boyle: No. And application whitelisting will also not prevent a business email compromise where I think I'm getting an email from my boss telling me to move a quarter-million dollars to an offshore supplier that doesn't exist. That's not going to help either.

Jake Bernstein: Nor will whitelisting prevent someone from legitimately logging in using stolen credentials. So, there's a lot going on here, and I think with phishing, it's just important to continue to be aware of it. One thing, I think it's really interesting, in the distant past, Kip, I was, as you know, a litigator who did more than my fair share of email litigation, mostly involving canned spam or California's anti-spam law. A lot of the times I think people listen to the phishing discussion and they wonder, "Why is this so hard? Why can't people just not click on things? Or why can't they just automate filtering better?" And here's the thing. You know what? You could, for example, you could whitelist your email...

Kip Boyle: Yeah, your recipients.

Jake Bernstein: Your recipients. Now, the problem with that is that means that you're never going to be able to get an email from someone you haven't emailed before.

Kip Boyle: Right. It's too onerous.

Jake Bernstein: It's too onerous. It's not the way that email is really meant to work. But I will say this-

Kip Boyle: And it's anti-human. It's anti-human too in the sense that people are wired to connect.

Jake Bernstein: It is. It'd be super effective though. If you wanted to whitelist your email, man, that would be almost impossible to phish because nothing's getting through unless you've emailed them before. It becomes a pain to administer. And frankly, there's a lot of people that just, a lot of industries where that's just impossible.

Kip Boyle: Right. I mean, in a lot of jobs too. So, like if I'm a recruiter in the HR department, my job is to open up emails from people I've never seen before and never met. Right?

Jake Bernstein: Yup.

Kip Boyle: Because these are candidates. These are people new. If I'm in sales, my job is to open up emails that I've never seen before too. And there's lots of people who have to engage in this extremely risky behavior of opening up emails and clicking on stuff, and they deserve extra protection. So, if you, as a cyber risk manager, haven't given them that extra protection, maybe they should have application whitelisting on their computers to guard against the malicious code aspects of these attacks. And maybe they should get extra training to alert them to the possibility that a nonmalicious code phishing attack is going to land in their lap. But just think about that because that's where the risk is. That's where the battle's being fought.

Jake Bernstein: It is. One thing that just occurred to me as we're talking about this right now is several, probably a year ago, I'd get really excited when I would see an email come in where there was this nice, like red banner that said this is from outside the organization. And it might seem like, "Oh, this is incredible. This is this great warning thing." Here's the problem though with that. It's a little bit like blinky light security, Kip. You eventually tune that out, particularly, and this is what triggered that thought, particularly when your job involves email from outside the organization. You're not going to see it.

Kip Boyle: If you see that banner all the time, you're going to ignore it.

Jake Bernstein: You're going to ignore it. This is what makes security an ongoing problem and something that is so human. It's a very human problem. People are at the core of this and how do you trigger someone's... Unless you try to create an entire workforce of absolute, paranoid type-

Kip Boyle: Automatons.

Jake Bernstein: Yeah. Well, that doesn't work either. Let's continue pushing on because I think, we've talked for almost our entire episode and we've gotten, what, maybe 12 pages in. We may have to do a whole second follow-up episode.

Kip Boyle: Yeah. That's entirely possible. Well, why don't we just skip to the bottom line on this report and start talking about so what? right? You and I could pitch statistics back and forth for hours on this, but let's give some folks in the audience some additional takeaways. Right? So, what are the things that you can be doing with this report and that you should be doing with this report?

Jake Bernstein: Let's do that.

Kip Boyle: So, one thing that you should be doing is this is hard data, and you should be referencing these statistics in your budget requests.

Jake Bernstein: And one of the ways that you do that is, for example, we were just talking about phishing remaining the number one incident, or number one action type. So, what you do there is... A simple example would be, "Dear Mr. CFO, we need to renew our subscription to anti-phishing software X because, according to the Verizon DBIR 2020 Edition, phishing remains the number one action involved with incidents and breaches." That is a very simple, almost lawyerly way of arguing in your budget request. And it's really super helpful.

Kip Boyle: Yeah. So, don't go to them and just say, "Well, I just know this is a problem." Get into the DBIR. They even make this so easy for us. They have links in the report that will take you to high-resolution versions of the charts that you can retrieve and use in your slide deck instead of taking dodgy screenshots of the PDF.

Jake Bernstein: Hey, I like dodgy screenshots of PDFs.

Kip Boyle: They already know... Well, the CFO will not be impressed by your dodgy screenshot, I don't think.

Jake Bernstein: That's probably true. And they give this away. Let's be clear. Just remember, they're giving this away. I mean, this is a really... You called it a treasure. Just want to make sure that everyone understands how much of a treasure it is and why.

Kip Boyle: Yeah, it is. Now, what they continue to get better at too, by the way, and this is another takeaway for the audience, is the data is sliced and diced, not just by how people are attacking us, who are they attacking, and that sort of business, but it's sliced and diced by industry, as well as geography. So, when you are looking at this report, be thinking, "What industry am I in? Where am I in the world?" And go into that report and figure out how are these attacks and data breaches localized to you and study that and use that when you go into the next budgetary cycle because that's just going to add more texture and credibility to your story.

Jake Bernstein: Absolutely. I think other ways to use this are to keep it as a reference throughout the year. Draw on it whenever you need to make a case or defend yourself from unjust criticism. I love that.

Kip Boyle: Well, people are always trying to take your budget. Right? I mean, that's typical and it's not a personal thing. Right? But if I'm in marketing and I need $25,000 to redo the website because I think if I can redo the website, I can increase top-line revenue by like 3% or whatever the number is, that's a very compelling case for the CEO to say, "Yeah, give the chief marketing officer $25,000." Well, what if I need $25,000 in order to install application whitelisting on the computers of people who are constantly opening up emails from the outside of the organization? How do I compete with that? Right? So, this is how you compete with it. By using what's in this report.

Jake Bernstein: Exactly. And I think another thing to do, another way to use it is if you can use the VERIS framework, which is what we talked about, it's the common attack framework, the kind of definitions and language used, that will actually allow you to make even more use of this. I think it'll be really, really helpful when you're using it.

Kip Boyle: Yeah, yeah. As long as you don't overdo it. Don't over jargon the executives. They're not going to like that. That's going to really hurt you, but to the extent that it helps you be more articulate, do it. By the way, there's a psychological effect, it's a very base human trait that I want you to be clear about, which is people are way more averse to loss than they are attracted by gain. So, in that scenario that I gave you where the chief marketing officer wants 25k to revise the website, it's your game to lose. Because when you go in there, what you're going to say is, "With that 25 grand, I can save us a multimillion-dollar cost of a data breach." Well, as long as you're not using too much jargon, or you're not making it an overly emotional pitch or whatever, right, as long as you're not misstepping, you naturally have the advantage, just based on the way human beings are wired. So, think about that.

And then the fifth thing that I would suggest to the audience is watch carefully how the world shifts with respect to the DBIR due to the COVID-19 disruption because COVID-19 has caused us to change the way we work. And one of the biggest changes is more work from home, more remote work. I can't wait to see what the report says next year about how that has changed the landscape or not. I'm interested to know.

Jake Bernstein: Yeah. I think that's exactly... I'm really curious too. And I wonder where it's going to change. Right? Is it going to change in the... Are the action's going to change? Are we going to see more hacking or malware or what? Right? I'm really curious.

Kip Boyle: Will RDP, remote desktop protocol, float to the top of the heap?

Jake Bernstein: Or, and here's my prediction, I think what we're going to see change is actually the breakdown by industry because I think what's going to happen here is that... Well, actually, here's a really interesting test and I'm going to say this so that we can come back and critique my prediction, which is that if we believe that working from home is going to cause more incidents, then what we should see is a concomitant rise in incidents and breaches in industry codes where working from home was possible. And we should see a decrease-

Kip Boyle: But not normal.

Jake Bernstein: But not normal. And we should see a decrease where... Well, I mean, honestly, Kip, doesn't matter because I think we've just gone through the COVID pandemic.

Kip Boyle: Here's why I think it matters, Jake, is because errors and omissions, misconfigurations, were a top cause of data breaches in this report. Well, when you look at everybody in the office and say, "I know we're not used to working from home. So, pick up your desktop computer right now, load it in your car and go home and start working, and the IT person will catch up to you later to make sure you're okay." Holy moly.

Jake Bernstein: No, that's true.

Kip Boyle: What a breeding ground for errors and misconfigurations.

Jake Bernstein: That is very true. I think that's an excellent point. So, we'll have to see what the data does. It will be really interesting this time next year. We should have a follow-up episode to discuss that.

Kip Boyle: Yeah. Any final thoughts?

Jake Bernstein: Only that there is so much information in here. It is just worth every minute you spend reviewing this is what I would do.

Kip Boyle: We've just scraped the surface, and you have all the information you need in here to contextualize it for your organization and your particular situation. So, go do that. And that wraps up this episode of the Cyber Risk Management podcast. Today, we did a quick analysis of the 2020 edition of the Verizon Data Breach Investigations Report, the DBIR. We wanted to see what we could learn. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision-makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at and Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.