Annual Cyber Reports, Same Trends

4–28–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, April 28, 2025, and because the annual RSA conference is this week, we’ve got a fresh batch of reports dropped just in. We’ll get you caught up on the latest threat intelligence and data from Verizon, Google, and the FBI.

Annual Cyber Reports, Same Trends

We’re going to pull out some highlights from these three reports - all of which have been published annually, though it’s entirely possible that they may either not continue at all or continue in very different forms moving forward.

The big 3 here are:

• Verizon Data Breach Investigation Report;

• FBI’s Internet Crime Report; and

• Google’s M-Trends Report.

Google Cloud M-Trends

We’ll start with Google’s report, which is based on their Mandiant team (remember when Google bought Mandiant for only $5.4B?). Interestingly, they note that phishing has declined as an initial threat vector, to be replaced by exploits (also known as zero-days, but sometimes just run of the mill vulnerabilities).

They also note that “dwell time” - time attackers spend in the environment prior to launching their attack - is down again this year. This indicates a couple of things - I think - working in tandem. First, we’ve collectively gotten better through EDR tools of detecting this type of activity, so they aren’t able to dwell as long, and secondly, attackers are much more opportunistic now - launching attacks on vulnerable systems while they know they’re vulnerable.

Google’s report also notes the changing landscape in tools and threats, with infostealers still a challenge, as well as threat actors from North Korea and Iran.

Verizon DBIR

Long heralded as the gold standard in this space, this year’s report from Verizon continues to offer insight. Like Google, they note a significant rise in vulnerability exploitation as an attack vector, and a drop in credential abuse.

Verizon’s statistics shed some good light on the challenges defenders are facing, including:

• Half of the systems infected with infostealers were not managed (meaning they are likely BYOD, and don’t have the same security and alerting as corporate systems);

• Third-parties now account for 30% of breaches; and

• 60% of breaches involved a human interaction (phishing, social engineering, etc.)

While that last number may seem high, it’s actually down from 80% in 2021.

Verizon also noted a significant uptick in what they’re calling “espionage” events (and it’s the second largest attacker motivation behind “Financial” - 89% to 17%, with other being less than 1%). These espionage attacks, however, do account for 62% of what Verizon calls “Basic Web Application Attacks” - up from 10-20% historically.

Then last interesting tidbit here is that AI use is flagged as increasing, but still representing less than 10% of malicious emails attackers are using - which is something of a lagging indicator. I think that number will be much higher in next year’s report.

FBI IC3 Report

The headlines from the FBI are pretty grim:

• $16.6 billion in losses (up from $12.5 billion)

• Investment scams accounting for the majority of the losses ($6.5 billion, up from $4.5 billion);

• Business Email Compromise dropping down a tick to $2.7 billion (from $2.9 billion);

• $9.3 billion of the total losses took place via crypto, beating the USD for the first time.

• The most exploited group of folks are, sadly, the 60+ demographic.

The rest of this report helps give some good financial details to the type of crimes and the tactics that criminals are using, and makes it clear that we’ve still got a long way to go in combatting these threats.

What strikes me most about this report - compared to the other two - is that it’s largely focused on individuals and the impact they feel, compared to more of a corporate approach for what Google and Verizon share.

Unfortunately, all of these reports reiterate the need to up our awareness and defenses at both home and at work - and with our aging population, in particular.

Fundraising

From a fundraising perspective, a relatively humble week totaling just over $7B in newly committed capital, led by LLR Partners, who raised $2.45b for their seventh flagship midmarket PE fund.

A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.verizon.com/business/resources/reports/dbir/

https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/

https://news.risky.biz/risky-bulletin-fbi-ic3-verizon-dbir-google-m-trends-reports-are-out-heres-the-conclusions/

https://www.infosecurity-magazine.com/news/vulnerability-credential-initial/