Each year, a team of experts analyzes data on the latest cyber threats and real-world breaches, compiling their findings in the Verizon Data Breach Investigations Report (DBIR). The DBIR is required reading for cybersecurity experts like your friends at NWG, who pore over the report in its entirety to stay up-to-date on industry trends. For everyone else, here are our top takeaways, tailored for C-Suite executives, IT professionals and non-IT professionals.
Partner breaches, also known as third-party breaches, are causing increasingly expensive business disruptions, as are supply chain weaknesses in both software and hardware providers. The effects of third-party incidents on downstream victims were particularly evident in the healthcare industry and the Crowdstrike outages. Other third-party software issues this year included a Duo MFA breach and actively exploited Fortinet VPN vulnerabilities. In light of increasingly sophisticated attacks on third-party software, the proliferation of specialized software as a service (SaaS) providers may represent a hidden risk that offsets potential benefits to operational efficiency.
Business size and industry play a much smaller role in cyber risk than they used to. The 2025 DBIR highlights that businesses of all sizes and industries are at much more similar risk levels today than they were in 2013. This convergence in risk is largely because both large corporations and small or moderately sized businesses are deploying the same solutions to protect their respective infrastructures. Cyber risk must stay top of mind for all companies when discussing business strategy to avoid underestimating operational risk. Keep in mind that cybersecurity tabletop exercises are no longer just for the IT team — CEOs should be present too.
Exploitation of vulnerabilities is now the most common method of breach for external attackers. This highlights a fundamental shift from previous years, where phishing was the primary means by which breaches occurred. The 2025 DBIR reports that the median time from publication of a known exploited vulnerability to mass exploitation was only five days. For edge devices including networking equipment, that time dropped to zero days.
Given that many patching schedules cannot react within less than five days to address mass exploited vulnerabilities, IT professionals must increase their focus on what happens after an initial intrusion. Important questions include:
Regular full-scope penetration testing and persistent threat emulation can be effective ways to assess possible vulnerabilities before threat actors do. Purple teams, in which you and your penetration testers sit down to watch attacks happen in real time and chase down alerts together, can be an effective way to fine-tune detection and response capabilities.
If you've ever clicked a malicious link, you're not alone. The 2025 DBIR reports that no amount of training completely prevented employees from clicking malicious links in the past year; but increased awareness does make employees more likely to report these incidents to their IT team.
Handing out your credentials on a phony website or accidentally installing malware does not have to be a world-ending event if reported quickly. Trust your IT team. They are ready to quarantine and neutralize threats.
Finally, remember that your home devices are not immune to attackers. The Verizon DBIR states that non-managed devices (aka a device not issued by an employer) made up 46% of systems compromised by malware that had possible corporate login data. Avoid logging into anything with corporate credentials on a personal device to help reduce your business's cyber risk.
The threat landscape continues to change every year. As attackers become more sophisticated and preventing initial intrusions into corporate infrastructure becomes more difficult, a holistic approach to cybersecurity becomes more important. A paradigm shift from hardening towards resilience is necessary to meet the changing threat landscape: a shift to accepting that it’s not if an intrusion occurs, but when.
Keep in mind that cyber resilience is not a single destination, and security is not a zero-sum game. An incident does not have to be an intrusion, an intrusion does not have to escalate to a breach, and a breach does not have to be an extinction event. Making resilience a priority will not only strengthen your ability to anticipate, withstand and recover from today’s evolving cyber threats — it will also minimize risk, reduce operational disruption and protect long-term business continuity.
If you need help planning and executing a strong cyber resilience strategy — including some of the tactics mentioned above like tabletop exercises, penetration testing or even executive training and education — we have your back. Contact us today to discuss your company’s security needs and explore how we can help you build a more resilient and secure future.
*The Verizon DBIR team holds itself to rigorous standards in data analysis, communication and humor. In honor of the authors of the Verizon DBIR, this article has been written entirely without the aid of AI. I read the report the old-fashioned way and wrote this article in a markdown editor to avoid AI suggestions. Call me sentimental, but if there was ever a time to make one last hurrah for the human touch, this is it.*
Published By: Rachel Park, Security Research Director, NetWorks Group
Publish Date: May 1, 2025
Security news, tips, webinars, and more straight to your inbox.