The latest Verizon Data Breach Investigations Report (DBIR) just dropped, and if you’re responsible for network security, there’s one stat that should catch your attention immediately: barely half of zero-day flaws in VPNs and internet-facing appliances were fully patched last year — and it took a median of 32 days to get there.

That delay is giving attackers exactly what they need: time.

According to the DBIR, exploitation of vulnerabilities rose 34% year-over-year, now the second most common path to initial access, just behind stolen credentials.

---

VPNs and Edge Devices: A Growing Risk

It’s no surprise that VPNs, firewalls, and edge routers are being targeted. These devices sit on the perimeter, they’re highly visible, and when unpatched, they’re prime entry points.

The DBIR data shows:

• 22% of vulnerability exploitation attacks targeted VPNs or edge appliances
• That’s up from just 3% in last year’s report — nearly an eight-fold increase
• Vendors frequently targeted included Ivanti, Fortinet, SonicWall, and Citrix
• Only 54% of exploited zero-day vulnerabilities in these devices were fully remediated over the year

The result? A surge in nation-state APTs and ransomware campaigns using these weaknesses to establish footholds and launch broader attacks.

---

Ransomware: Fewer Payments, But Still Widespread

While ransomware isn’t new, the 2024 DBIR shows some important shifts:

• Ransomware was present in 44% of breaches, up from 37%
• Median ransom payments dropped to $115,000 (down from $150,000)
• 64% of victims refused to pay, up from 50% two years ago

The divide by company size is especially stark:

• Large enterprises: Ransomware in 39% of breaches
• Small and mid-sized businesses: Ransomware in 88% of breaches

That’s a wake-up call. SMBs remain a favorite target — and often have fewer resources to detect or respond.

---

Supply Chain and Third-Party Risks Continue to Climb

The DBIR also flagged a sharp rise in third-party and supply chain breaches:

• 30% of breaches involved a third-party vendor or MSP — double last year’s figure
• A median 94-day delay was reported between the exposure of secrets in public code repos and their remediation

That’s nearly three months of exposure — often without anyone realizing what’s at stake.

---

Credentials and Phishing: Still Top Threats

Despite the focus on zero-days and ransomware, credential theft and phishing remain constant:

• Credential abuse accounted for 22% of initial access (unchanged from last year)
• Email phishing, mis-sent data, and password reuse factored into 60% of breaches
• Infostealers hit unmanaged devices hard:
  • 30% of compromised endpoints were licensed enterprise machines
  • Almost 50% were BYOD endpoints, storing both personal and corporate credentials

The continued use of unmanaged devices — and the lack of visibility into them — is a persistent weak point that’s not going away anytime soon.

---

Nation-State Threats: Financial Motives Are Rising

One of the more interesting trends in this year’s report: nation-state APT activity accounted for 17% of breaches, with vulnerability exploitation enabling access in 70% of those cases.

While cyberespionage remains the dominant motive, 28% of these state-backed intrusions were tied to financial gain — showing that some government-linked actors are now moonlighting for money.