Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Third-party risk rises as a factor in breaches: Verizon DBIR 2025

Verizon’s latest annual Data Breach Investigations Report (DBIR) shows some concerning trends with a sharp escalation in global cyber threats. Landed earlier than usual, the 2025 edition found that 30 per cent of breaches involved third-parties, doubling from 2024. Exploitation of vulnerabilities surged by 34 per cent, and now account for 20 per cent of breaches. Ransomware rose significantly; it was present in 44 per cent of breaches and 31 per cent of incidents. There were some good points: the median ransom payment decreased to $115,000 from $150,000, and 64 per cent of victim organisations refused to pay.

There are plenty of excellent roundups of the key points, from SC Magazine, SecurityWeek and others. Infosecurity Magazine led with the angle that ransomware is particularly affecting small businesses. Verizon itself noted a recurring theme of the role that third-party relationships play in breaches. The DBIR is based on analysis of more than 22,000 security incidents, including 12,195 confirmed data breaches.

At more than 100 pages, there’s plenty of detail to pore over. Verizon has an executive summary, video analysis and the full report to download from its website. Another lens on cybercrime comes courtesy of the FBI’s Annual Internet Crime Report. Its top three cybercrimes, based on reports from victims, were: phishing/spoofing, extortion and personal data breaches. Losses in 2024 exceeded an eye-watering $6.5 billion.

Microsoft marks progress on security initiative

Microsoft’s Secure Future Initiative (SFI) progress report marks advancements in the company’s multi-year cybersecurity strategy. The original plan outlined 28 objectives aimed at enhancing security; five are almost complete and 11 have made “significant progress”. The report also details progress across six engineering pillars: protecting identities and secrets, tenant isolation, network security, engineering systems, threat detection, and incident response.

Microsoft rolled out a Secure by Design UX Toolkit to 22,000 employees, embedding security best practices into product development. The company says 99.2 per cent development pipelines are fully inventoried with enforced security measures. The initiative also emphasises a security-first culture, with security now included as part of performance reviews. CSO Online marked the progress as 66 per cent done. SecurityWeek’s report noted that the plan’s goal as “the largest cybersecurity engineering project in history” came after a scathing US government report 18 months ago, following a hack on the company.

Data protection and privacy roundup: make data personal again; and AI resurfaces

The problem with the word ‘data’ is that it can sometimes have a depersonalising effect. It’s helpful to remind ourselves what’s at stake in a breach. A school in Dublin that accidentally shared sensitive information about named students to members of the school community is a good example of what’s actually involved.

Coincidentally, around the same time the UK Information Commissioner’s Office published guidance on communicating with empathy after a data breach. “The information you are trusted with reflects individual lives,” the regulator writes. “To some organisations, a data breach might seem like a temporary setback – something that can be patched up with technical fixes and compliance reviews. But from the perspective of individuals – especially those in vulnerable situations – a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate. As an organisation, you have a role to stop this ripple effect in someone’s life from spreading further”.

In other news, Facebook’s owner Meta said it will use data about users in the EU to train its AI models. The company had held back from doing this since last year, due to regulatory concerns. Now it says it will only use public data, and users will have the choice to opt out.

Need assistance with Digital Operational Resilience Act (DORA) compliance? 

The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on 17 Jan 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.

DORA brings harmonisation to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers.

BH Consulting adopts a two-stage approach to enable financial entities meet DORA requirements. Get in touch with our experts and take the first step towards full DORA compliance.

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe.

Sign up here