Commentary & Analysis

Get Notified.
Stay Informed.


The Verizon DBIR is one of the best reports released every year. For 2020, 81 contributors collected and analyzed over 157,000 incidents.

Monarch's summary is focused on the Financial Sector.

The full industry analysis contains:

  • Accommodation and Food Services
  • Arts, Entertainment and Recreation
  • Construction
  • Educational Services
  • Financial and Insurance
  • Healthcare
  • Information
  • Manufacturing
  • Mining, Quarrying, Oil & Gas Extraction, Utilities
  • Other Services
  • Professional, Scientific and Technical Services
  • Public Administration
  • Real Estate, Rental, Leasing
  • Retail
  • Transportation and Warehousing



For 2020, Verizon aligned with the Center for Internet Security (CIS) Critical Security Controls and the MITRE ATT&CK framework.

This allows firms to cross reference industry specific attack trends to CIS Controls.

The CIS Controls outlined next have shown to be very effective in reducing security incidents and breaches in the Financial Sector.  There are a total of 20 controls outlined by CIS for firms at various levels of cyber maturity.


  • CSC 17 – Security Awareness and Training
    Train employees on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.
  • CSC 12 – Boundary Defense
    Limit network access to only trusted or necessary IP ranges.  Deny all else by default. 
  • CSC 5 – Secure Configuration
    Maintain secure configurations for all authorized operating systems and software. 
  • CSC 11 – Secure Configuration for Network Devices
    Compare devices against approved security configurations and alert on deviations.  All network devices should be managed with encrypted sessions and MFA.

0 1


Organizations are doing a good job of patching Internet facing assets.  The problem is when asset management fails at discovering assets across all network segments.  This causes a blind spot where potential vulnerabilities go unaddressed.

The report shows that exploiting vulnerabilities with malware is relatively scarce and mostly reserved for sophisticated attackers.  Attackers will scan for vulnerabilities but usually prefer easier and quicker methods.

Malware continues to be on the decline in favor of social engineering and credential theft.


  • Ensure your asset management program is kept up to date with your network segments.
  • Have an effective patch management process to minimize this attack vector from all but state sponsored adversaries.
  • Attackers prefer short paths to reach their goal (your data).  A good defensive strategy is to place obstacles in the path of the attacker.  While no one obstacle is perfect, combining them has proven effective to stop and deter attacks.



External actors continue to be the main cause of incidents and breaches.  This is not a surprise, but there is an increase of insider error and misconfigurations contributing to security events.

You may not be the end goal.  Secondary breaches can be launched from your compromised infrastructure.


  • Misdelivery was the most common “insider” error.  Consider technical controls to minimize the sending of data to the wrong recipients (e.g. autofill).
  • Ensure mail and contact lists are up to date.
  • Have procedures to check for user error.
  • Scan storage buckets  & firewalls for misconfiguration that can make them publicly accessible.

Another thing you might be wondering is where the attackers are coming from. Based off of computer data breach and business email compromise complaints to the FBI Internet Crime Complaint Center (IC3), 85% of victims and subjects were in the same country, 56% were in the same state and 35% were even in the same city. In part, this is driven by many of the complaints coming from high-population areas such as Los Angeles, CA, and New York City, NY. So, the proverbial call is almost coming from inside the building.

DBIR Page 11



For malware based attacks, Office documents remain the top vector.

Brute force and credential theft make up the majority of successfully hacking attempts followed by vulnerability exploitation in distant third.  Since the shift to cloud services ,  it is important to protect and monitor web applications. 


  • The attack action discovered can tell you the stage of an attack.  Detecting social engineering can indicate the beginning stages of an attack.  
  • Malware detected indicates that you need to look back in time since it is rarely the first step of an attack.
  • Scan and monitor web applications as part of continuous vulnerability management (CSC 3).

“the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank,

half of all U.S.-based business email compromise victims had 99% of the money recovered or frozen;
and only 9% had nothing recovered.” 

2020 DBIR Page 25


{k:v} actions

  • Assess your organization against the CIS Controls to identify areas for improvement.
  • Start with realistic goals when implementing CIS Controls.  Some controls require a certain level of cyber maturity.
  • Know ALL of your network segments.  
  • Deny by default and limit accessible IP ranges to only what is required.
    • Have a process to detect misconfigurations and employee mistakes.  
    • Put obstacles in the way to slow down and deter attackers from their goal.  This includes network segmentation, least privilege accounts, and MFA among others.
    • If you have financial loss, the IC3 Recovery Asset Team can help.

    Contact Monarch for a CIS Assessment

    Find out More

    Monarch delivers cybersecurity in a new way.  Get information that matters and security that’s effective.

    Click below to schedule an introduction call.