There are a few must read reports that I have on my reading list for each year and the Verizon Data Breach Investigations Report is on top of that list. The latest Verizon 2026 Data Breach Investigations Report (DBIR) once again provides a fascinating insight into how the cyber threat landscape continues to evolve. Based on the analysis of more than 31,000 security incidents and over 22,000 confirmed data breaches across 145 countries reported by various organisations ranging from police forces, cybersecurity companies, and CSIRTS (including IRISSCERT), this vendor neutral report is one of the most comprehensive pieces of cybersecurity research published each year and why I have it on my must read list.
As you may be aware, I am often dismayed by the tendency in cybersecurity to focus on the newest threats, latest attack techniques, or emerging technologies, while many organisations are still struggling with the basics of cyber security. This year’s DBIR reinforces this viewpoint and highlights how attackers don’t need sophisticated techniques but are increasingly exploiting those gaps in the cybersecurity fundamentals.
One of the standout findings for me from this year’s report is that vulnerability exploitation has now overtaken stolen credentials as the most common initial access vector in breaches. Exploitation of vulnerabilities accounted for 31% of breaches, while abuse of user credentials dropped to 13%.
To me this is an important shift for several reasons. Firstly, it demonstrates that criminals will always use the most effective ways to compromise an organisation. For years, much of the cybersecurity conversation centred around phishing emails and password theft, because that was how criminals were compromising organisations. Those threats have not gone away, but attackers are increasingly taking advantage of organisations failing to patch internet-facing systems and applications quickly enough. Secondly, it reinforces a lot of the concerns around AI being used to identify more vulnerabilities which may result in many organisations not being able to patch or remediate these vulnerabilities in a timely manner. Note we will soon be publishing an excellent blog post by our Senior Cybersecurity Consultant Sarah Hipkin of this topic, so stay tuned to our blog.
The DBIR goes on to highlight that only 26% of critical vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalogue were fully remediated during 2025, down from 38% the previous year. While the median time to fully remediate vulnerabilities also increased to 43 days.
For Irish organisations, and organisations elsewhere, this should be a concern. Many businesses are operating with limited IT and security resources while simultaneously trying to deal with increasing regulatory obligations under frameworks such as the EU GDPR, EU NIS2, EU DORA, and sector-specific compliance requirements. However, the pace of attackers identifying and exploiting vulnerabilities is not slowing down while organisations are struggling to catch up.
My reading of the DBIR report suggests the issue is no longer simply about organisations failing to patch. The sheer volume of vulnerabilities now being discovered is overwhelming many organisations’ ability to respond effectively. In other words, patch management is rapidly becoming a capacity problem as much as a technical one.
It was no surprise to read that ransomware continues to dominate the threat landscape. According to the DBIR report, ransomware was involved in 48% of all the breaches analysed this year, which is up from 44% last year.
There is, however, a small piece of good news buried within the statistics. The report found that 69% of ransomware victims did not pay the ransom demand. That suggests organisations are becoming more resilient, with better backup strategies, improved recovery capabilities, and perhaps a growing recognition that paying criminals does not guarantee a positive outcome. It could also reflect the growing realisation that criminals do not always honour their promise not to release stolen data even when organisations pay the extortion demand. According to the Hiscox Cyber Readiness Report of 2025 29% of Irish organisations who paid extortion demands had their data leaked regardless of payment
That said, ransomware remains one of the most disruptive risks facing organisations, particularly SMEs. For many smaller businesses, the operational disruption caused by ransomware can be far more damaging than the ransom demand itself.
Another area that deserves close attention is third-party risk. The report found that breaches involving an organisation’s supply chain increased by 60% and third-party breaches now feature in 48% of breaches.
This reflects the reality of modern business. Organisations increasingly rely on cloud providers, managed service providers, SaaS platforms, outsourced payroll systems, and external IT partners. While these services deliver enormous business benefits, they also create additional attack paths and cybersecurity risk into organisations which those organisations need to manage.
No cybersecurity report today can go without mentioning the role of AI in cybercrime and the Verizon DBIR is no exception. According to the report, criminals are now using generative AI to assist with target selection, malware development, vulnerability research, and social engineering attacks.
While there has been a huge amount of discussion about how organisations can use AI productively, there has perhaps been less focus on how cybercriminals are using the same technology to scale and improve their attacks.
One area that should concern many organisations is the growth of “Shadow AI”. Verizon found that 67% of users accessing AI services on corporate devices were using non-corporate accounts. More strikingly, the report found that 45% of employees are now regular users of AI tools in the workplace, up from just 15% the previous year.
The risk here is not theoretical, as we experienced in the past with the wave of Bring Your Own Device (BYOD). The DBIR identified source code, internal documents, structured data, and technical documentation being uploaded into unauthorised AI platforms. For organisations handling sensitive personal data, confidential business information, or intellectual property, this creates obvious security, privacy, and compliance concerns. As with the BYOD wave and the rush of corporate data onto personal devices, organisations need to develop policies, tools, and controls to embrace the use of AI rather than take the King Canute approach of trying to stop the rising AI tide.
The human factor also continues to feature heavily throughout the report. Verizon found that the human element was involved in 62% of breaches. Social engineering attacks continue to evolve, particularly through mobile-centric attacks such as voice phishing and SMS scams. In fact, the report notes that engagement rates for mobile-based phishing simulations were 40% higher than traditional email phishing simulations.
That finding alone should prompt organisations to rethink how they approach security awareness training. Employees are no longer sitting at desks processing suspicious emails in isolation. They are working remotely, travelling, multitasking, and increasingly interacting with business systems through mobile devices where people are naturally more distracted and more trusting. Criminals are also using other messaging channels other than corporate email to reach employees, such as WhatsApp, social media, and personal email accounts. All platforms where most corporate cybersecurity solutions do not provide coverage.
Returning to the core theme of the report, the notable item standing out to me is that many of these breaches were linked to fundamental security failures such as missing multi-factor authentication, weak credential management, and excessive user privileges in cloud environments. If there is one clear message from this year’s DBIR, it is that organisations do not necessarily need revolutionary new security strategies. What they need is a comprehensive cybersecurity maturity assessment to develop a roadmap to achieve operational discipline.
Asset management, patching, MFA, least privilege, incident response planning, supplier assurance, and user awareness training are not glamorous topics, but they remain among the most effective security controls organisations can implement.
Cybersecurity is often portrayed as a technology problem. It is increasingly a business resilience issue. The organisations that will cope best with the evolving threat landscape are not necessarily those spending the most money on security tools, but those consistently executing the fundamentals well.
That is perhaps the most important lesson Irish organisations should take from this year’s report.
Author: Brian Honan is CEO of BH Consulting.
