Cyberattacks through third parties are on the rise, according to the 2025 Verizon Data Breach Investigations Report. And, the percentage of VPNs and edge devices in attacks classified as exploitation of vulnerabilities grew nearly eightfold compared to the 3% instance rate in the previous report.
Verizon studied 12,195 data breaches out of 22,052 real-world security incidents collected between Nov. 1, 2023 to Oct. 31, 2024, from more than 100 data contributors globally.
Exploitation of vulnerabilities increased
Exploited vulnerabilities increased by 35% and represented 20% of all initial access vectors. The most common attack vector remains credential abuse (about 22%), according to the 18th annual report. The exploitation of vulnerabilities (about 20%) and phishing (about 16%) follow.
“Organizations worked very hard to patch those edge device vulnerabilities, but our analysis showed only about 54% of those were fully remediated throughout the year, and it took a median of 32 days to accomplish,” report authors C. David Hylender, Philippe Langlois, Alex Pinto, and Suzanne Widup wrote.
“It’s pretty clear that VPN technologies should not be readily available to anyone to access,” said Lawrence Pingree, vice president of Dispersive and former Gartner cybersecurity lead, in a comment to TechRepublic. “This is one of the fundamental problems with the design of VPN technology. Eliminating the infrastructure VPN attack surface should be of crucial importance to enterprises, given that it’s often an overlooked aspect of security. Moving off legacy VPNs and firewalls isn’t easy—but it’s worth it.”
Fewer organizations paid ransoms than the previous year
Ransomware attacks increased by 37% in terms of its presence in breaches compared to last year, but on the other hand, ransom payments decreased. The median amount was $115,000, down from $150,000 the previous year. This trend suggests that more organizations are refusing to pay ransoms, with 64% of surveyed victim organizations choosing not to pay.
The decrease might also reflect how ransomware actors often attack smaller organizations, with 88% of ransomware-related breaches involving SMBs compared to ransomware being a component of 39% of total breaches.
SEE: In this TechRepublic exclusive, reporter Fiona Jackson details how new ransomware attacks are getting more personal as hackers ‘apply psychological pressure’
“Glass-half-full types can celebrate the rise in the number of victim organizations that did not pay ransoms with 64% not paying vs 50% two years ago. The glass-half empty personas will see in the DBIR that organizations that don’t have the proper IT and cybersecurity maturity — often the SMB sized organizations — are paying the price for their size with ransomware being present in 88% of breaches,” said Craig Robinson, research vice president of security services at IDC, in a press release.
Ransomware was present in 44% of all breaches reviewed by the Verizon team, representing a 32% increase from the previous year.
Third-party risks could stem from Software-as-a-Service or BYOD
The importance and risk of third-party relationships were key in this year’s report. The number of breaches involving a third party jumped from 15% to 30%. The Verizon team pointed out that the attackers in the Snowflake breach in April 2024 accessed the platform through stolen credentials.
“Much ink has been spilled over the Shared Responsibility Model, so we definitely won’t go into all that, but it is worth understanding that when you are working with a third party, you have to consider their security limitations as well as your own,” the authors wrote.
Software-as-a-Service (SaaS) providers can also be a source of third-party credential leaks. Stolen credentials and BYOD policies can significantly impact third-party risks. The report found that 30% of compromised systems were enterprise-licensed devices, while 46% were non-managed devices that held both business and personal credentials. The report lacked precise insight into those devices, but attributed them to either a BYOD policy or the use of enterprise-owned devices for personal activities.
“The DBIR’s findings underscore the importance of a multi-layered defense strategy,” said Chris Novak, vice president of global cybersecurity solutions at Verizon Business. “Businesses need to invest in robust security measures, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training for employees.”
SURVEY: Is your software supply chain secure? Calling all security savants to share your experiences, tips, and insights with the community on our sister site DZone. Take this security survey now!
