Transcript
පැහැන්න, එය ටිකාරයේ, ඔබට සැමට තම්බාන. අපි ඔබට සිටම. සිටමට මිශ්ර, සමින්න. Welcome everybody my name is David Bideines. Human Risk Advisor at HOX Hunt and welcome to today's show on the Verizon Data Breach Investigations Report. So every year Verizon Business releases the DBIR and every year this industry leading report reveals the largest sources of data breaches over the past 12 months. I personally have been using it for a long time and there's always findings that stop you mid-sentence. We're at the end of school here and I always think of it as the industry's annual report card. You learn what happened over the past year and it helps you, both the defenders and the attackers, think about how they adjust their syllabus for the coming year. So we are honored to participate in the Verizon DBIR for the second year in a row, led by HOX Hunt's VP of Human Risk Management, Maxime Cartier. And we're also thrilled to have Verizon's lead data scientist and co-author of the DBIR, Philippe Langlois, joining us today. Maxime, Philippe, thank you so much for joining us. Hi everyone. Hey, pleasure to be here. So Philippe, this year's DBIR has an overarching theme, refinement, not revolution. We should double down on fundamentals to face the fast moving threats. Tell us a little bit about what that means, to keep a strong foundation in the face of change. What does that mean in practice and what surprised you the most about this year's dataset? Yeah, absolutely. So I think this year has really been seen as like an inflection point for a lot of organizations, where the adoption of new technology has seemed to explode basically overnight. We've been hearing, especially with the advancements of Gen AI, where there's been this big transition where now it's really becoming part of the business. And for a lot of organizations, this is kind of seen as a big challenge, right? All of a sudden you have a lot of these third parties you have to manage. You have a lot of ambiguity in terms of what do these platforms do? What are the capabilities? And what do I as a defender have to do? So what we really wanna do is focus in terms of even though the technology has changed, cybersecurity as a practice really hasn't, right? The scale may have changed, but we've always kind of promoted the importance of automation and the importance of building a good structure so you can kind of adapt to these changes in technology. So the fundamentals, I think have always been something that we try to promote, especially with our collaboration with the Center for Internet Security and the critical security controls as kind of the starting point or this, once again, foundation that organizations can really leverage. It's still about identity. It's still about protecting your perimeter. It's still about patching and vulnerability management. So the speed of things may have changed, but still having our abilities as well. Well, thanks, Phil. With that as a great foundation, I know that you've prepared some visuals for us to dive into to look through the content a little bit further. Phil, the floor is yours. Yeah, absolutely. Thank you so much. The, you know, something that's kind of also foundational to the DBIR itself is our visual language. So I always think it's useful to have a handful of slides just to provide a little context, but then also communicate these larger, you know, perspectives that we have. So just for the folks who aren't familiar with the DBIR, you know, David had mentioned we've been doing this for a few years. We're up to 19 years at this point. And really the reason why we've been able to do this for so long is because of great partners like Hoxhan, right? We've been able to really kind of tap into the cybersecurity community to provide us data that we can really base our report on. So this year alone, we saw 31,000 incidents and 22,000 of those were breaches. But really what's one of the main stories is some of these shifts that we've been seeing. So over the last couple of years, one of the areas we've been focusing in on is what we call the ways in or the initial access vectors. Basically, what's the first step that attackers are taking against organizations, right? Because that allows us to identify, well, what's the first opportunity for defenders to either detect or prevent these breaches? Historically, we've looked at three major ones. We've seen credential abuse, which traditionally was the most common one. Phishing, which of course has maintained a high level of popularity, which is now the second most common. Exploitation of vulnerabilities, where there is an external vulnerability that allows an attacker to gain access to an environment. We've seen a lot of these over the last couple of years with VPNs and firewalls having some level of known or unknown vulnerability at time of exploitation. And then this year we added a new one, right? Which is pre-texting. So this is something that we've been collecting in the backend for many years now, but it's starting to grow in terms of complexity. And it was kind of an opportunity for us to highlight it. And what pre-texting is, is essentially a more complex form of social engineering, right? Where there's more intrinsic back and forth with the victim. We see this a lot with business email compromises, right? Where there's an email chain that's being hijacked and leveraged as context. But now we see these attacks kind of changing, not only for business email compromises, but also being used for other things. So we wanted to kind of highlight this as, you know, the importance of social engineering, right? Some of the top things are still social engineering, have always been social engineering. And I'm going to guess in 2027, 2028, social engineering will still be present as one of the main things we have to identify and protect against. So the big shift this year was really in terms of the rise of exploitation or vulnerabilities. Don't want to dive too much into that. We've did a very good webinar that kind of goes into that detail. But basically there's been a shift in terms of the number of vulnerabilities being exploited and our ability to detect and remediate has been worsening, right? We're slower to fully remediate and we're remediating less of these critical vulnerabilities. So yeah, and we're going to talk about a little, in terms of the ways in phishing and pre-texting. Phil, that's fascinating. I think I'll turn it to Maxime to provide us some analysis of this. Maxime, what would you say is sort of driving this spike? Is it temporary and where do you think it goes from here? I think what surprised me, and of course phishing and pre-texting is still a big part, but I was not necessarily expecting exploitation or vulnerabilities to come first this year. And I mean, you know that I work mostly with the human element, cyber security. And so you might say, okay, this is not relevant for what Hoxton does, what security or wellness practitioner does. But I think it's quite the opposite because we have powerful vulnerability scanners, we have powerful vulnerability management tools nowadays. The problem is not technological. We know that there are vulnerabilities, right? In organizations I've been a part of, there's often quite a lot, actually, even critical and high, and they're just not all remediated or not as Philippe said, within a reasonable amount of time, let's say. The thing is that IT teams, I think are often managing very competing priorities and they might just not put security and vulnerability management at the top of their list. And in response, cyber security teams kind of struggle with how to manage and communicate about this topic, about vulnerability management. I think some of the things that I've seen at least is that often the why of vulnerability management is not extremely clear to people doing the work, right? So it keeps slipping behind future delivery. And we also have communication from the security team to IT operations that can be quite technical, quite dense, and doesn't really help to prioritize. We have sometimes, just go patch, you figure out how. We don't say how, just say, you need to patch. That's part of our policies. Or sometimes we can be even as the security team don't write threatening about this, right? And say, okay, if you don't patch within 48 hours, your servers, your applications, right, they will be shut down. And I mean, I think that the people listening to us today, they know very well that's not a practice that work very well. And this is really an area where security on this practitioners can make a difference, right? The IT operations team, the sysadmin, the developers, their employees too, and patching is a security behavior like other security behaviors, like reporting suspicious emails, and something that security ones practitioners are training, experiencing, trying to influence. So I think that we can really help in this domain by bringing some clarity, some meaning, some motivation behind this topic, right? And also by trying to remove some of the frictions in the patching process, make it easy, easier at least to patch solutions. Simply put, you know, when it comes to communications, when it comes to behavior change, we can really help the rest of the security team or IT colleagues to achieve their goal here and patch better and faster. So one recommendation that I would give based on your data field to security ones practitioners who are listening to us today would be go talk to your vulnerability management team, right? So the people who work with this topic. Go talk with them and go help them or offer to help, right? With the communication around this topic, with the processes around this topic, because that's one of the single biggest difference that you can make this year in terms of actual risk reduction. Yeah, Maxime, I would write off the comment you just said about go talk to your vulnerability management folks. Go also talk to the business folks, right? The folks who are running these systems or the developers. And listen to the feedback they have regarding the CVEs that are getting flagged. You know, like many folks, I enjoy perusing Reddit every once in a while. And I'm on all these, you know, you follow the comments, you know, in non cybersecurity threads and things like that. And a lot of them are like, oh, these cybersecurity folks, they're just sending me endless list of CVEs that don't matter, right? These aren't exploitable CVEs, it's just something that was flagged, or, you know, these are things that we can't X, Y, and Z reasons, right? So that human element of being able to communicate and find that middle ground is really key, right? We have to make sure that what we're providing isn't just an output of a scanner, right? It's important context, both from the threat landscape, but then also the business, right? What are the possible impacts and things like that? So, you know, the importance of communication, especially in an industry or a position like cybersecurity is, I think, can't be understated, right? It's very important to be able to provide meaningful context, especially when you're trying to convince folks to do the right thing, right? Which everyone wants to do the right thing, it's just there's always competing interests. Absolutely, it's human nature, Phil and Maxime. And one of the things I've loved about this finding in this line of discussion is that something as seemingly as technical as patching really does have a human and a human behavioral level to it, right? It's something where you have to understand motivations, you have to understand nudges, behavior to really kind of make an impact to understand why people act in the way that they do and how we can use that in order to improve our overall cybersecurity. So speaking of the human element and how we conquer that, let's talk a little bit about Gen AI. I'm curious, Philippe, what are you seeing sort of in Gen AI and how that affects this and other sort of topics going forward? Yeah, absolutely. So this year we had a very unique opportunity to collaborate with Anthropic and do some research in terms of identified cybersecurity abuse cases and really try to work through the data and tell the story, how are attackers leveraging these Gen AI platforms and what are the implications for defenders? I think we've all heard of the, you know, the agentic automated pen testing, things like that. But we really wanted to do a deeper dive and try to identify what are the implications? So what you see here are two distributions, right? So this is based on identified abuse cases, right? They found someone that was using either Claude or another one of their products to develop cybersecurity, offensive cybersecurity capabilities. And what we did is we tagged it according to the attack techniques. So we can say how many different techniques did each of these individual threat actors research? And what we really found was that the majority of these were focusing in on a very small number of techniques, right? 15 being the median and at the high end, 34, right? Which of course, you can say, wow, 34 things I have to defend against. That's still a big number, right? These are new capabilities being developed. But when we start kind of pulling apart, well, what are these techniques that they're developing? are these techniques that they're developing, what we found is that the majority of these What we found is that the majority of these techniques were already very well understood and leveraged techniques, right? So we looked at the number of software per technique that was being researched and found the median was about 55. So for each of these techniques, there was at least 55 different software examples, which from a gen AI platform, right, that is extremely useful, because you can kind of distill from those 55. But also from defenders, that's also extremely useful, because these are things that we as defenders are well aware of, right? We've seen these things before. They're not quote unquote, novel, right? They're pre existing capabilities that we have detection or we have protections against. And what we found was only 2.5 of those, where there wasn't really, you know, which we consider novel, as in there's not a lot of examples of software that would do these specific techniques. What we found really interesting was to see from the initial access, where were the areas they were focusing in. So we're just going to take this sliver, right, ignore all the things that are specific to, you know, C2 or persistence, and really look in terms of, you know, this column, what are attackers researching as their first step, right? And we see phishing as being kind of 44% of the things they researched, which, you know, I think is perhaps an understated number, right? I think phishing represents more than that. But for this specific use case, right, in a specific data set, that's what we found is phishing as the one of the most common use cases for these gen AI platforms, like followed by building exploit code, or building code that can be used to abuse credentials, such as brute forcing or credential replay. So we see these gen AI platforms being used to help craft phishing, you know, possibly more targeted phishing emails or translating existing phishing emails to different languages. This one is interesting, Phil, because I know that the data from this report was from 1st of November to 31st of October, correct? Or something like this? Yes, yeah. And so we haven't shared this data with you for the report, because it came from after this, but at Auxent, we analyzed about half a million potential email threats that are reported by employees all across the globe. And those are the phishing emails that bypass all the other filters, right? The ones that do land into the inbox and are reported by people. And we analyzed them all. And last year, or beginning of this year, what our threat analyst team has found is that for most of last year, between January and November, only 4% of all threats that were reported to us had clear sign of being AI generated, right? Only 4%. And we're like, okay, well, we're talking a lot about AI, but it's still not really there. People are still not really using it. Although, of course, when you read the reports from Anthropic, from OpenAI, they do mention that their tools are actively used by for phishing attempts and for other, by criminals in general, but maybe not that much yet. But very surprisingly, what happened in December is all of a sudden, this percentage of phishing threats that bypass email filters and landed into the inbox, AI created, was multiplied by 14 times. So it went from 10% to 54% of all threats that were reported that are clear signs of being AI generated. And in phishing, and maybe not just in phishing, in cybersecurity in general, sometimes there's just very quick shifts where a new method, a new type of threat, all of a sudden becomes the majority of the threats that we see. And since then, actually, so this was in December, great Christmas present, by the way. But since then, in January, February, 2026, it has continued around this level. Of course, it changes a little bit every month, but it's still the majority of attacks. Interesting. Yeah. I wonder if it's a new phishing kit has come out, right, where that's built-in capabilities or there's a, so there's two ways we can look at it, so that you have the, there's a new phishing kit that's using templated language that is flagged as being AI, so that the threat actor can easily go and spin off different translations or what have you. Or there's the possibility also that these are now more targeted. That would be an interesting follow-up analysis. I don't know if you guys had a chance to do that or have the ability to make those, is this a target in the sense of, does this provide additional context or how templated are these? Because the threat actors are always looking for scale. It's a numbers game, right? They cast as big of an, especially in phishing, right? The number of spam emails, the number of phishing emails, right? They try to send out as much as they can. But that next step of being to personalize, not just put someone's name, right, but actually like put personalized context is, you know, that's an indication of either more advanced automation or someone caring enough to actually do it that way. Yeah, Phil, I think what we're seeing at this high end is that the targeted, personalized, contextually relevant attacks, those are the types of things that, you know, it's producing something that it looks like somebody from someone that you know with relevant information. And it really makes the point that a training simulation program that has kind of that one size fits all, one campaign for everyone, really just understates the real risk and really doesn't train your users for what we're actually seeing out there. That a sophisticated attacker using these tools is going to produce, you know, spearfish attacks kind of at scale, which is quite something. Sorry, Maxime, I jumped on something that you were going to say. Nope, that was good. Nothing to add. Excellent. There's some more interesting findings I'm happy to dive into. So one of the areas of research we did last year was on InfoStealers. So InfoStealers is a specialized type of malware that focuses in terms of taking credentials stored on a system either through the browser or in safe passwords and syphoning it off, right? What we want to do is then look at the next step of an attacker's process. So you have this giant pool of credentials. Typically, there's another organization, another user, another attacker that will go and weaponize these types of credentials, either, you know, credentials accessed through InfoStealers or even possibly vulnerabilities and things like that. We call them initial access brokers because their job or their function is to gain access and then resell it. So we found that, you know, in terms of credentials, there's a lot of value, right? The normal user credential, which may have access to a VPN or single sign on, right, is typically sold around $700. But an administrator account is almost double that, right? $1,300, which really shows kind of the value these attackers are putting in terms of having that administrative account because it provides them with so much access and it's one less thing they have to do, right? So if they're reselling it to a ransomware operator, ransomware operator wants to have as much of an impact across an organization to get a payout. Having an administrator account really simplifies that process, right? Because they can now not just impact what this user has access to, but they can impact the entire organization. So I really kind of think what's the importance of protecting these accounts, right? And we're seeing a lot of social engineering targeting administrators, you know, or IT help desk or what have you, just because they have this additional access and this additional value for threat actors. And Phil, so this InfoStealers, do you have any data about how they distributed in the first place? Yeah. So we looked at that, we looked at in a couple of different ways last year. So there's, of course, the very traditional, right, phishing email package, right, where there's some type of malware. And oftentimes what they were doing is they were also, you know, doing a lot of downloading their main payload and then also downloading an InfoStealer. Because an InfoStealer provides them with an instant way of monetizing that system access. Rather, you know, other types of infections you either have to maintain persistence, so you have to avoid the AV scanners and, you know, find a place to write into the system so you're not detected. But InfoStealers execute and siphon out the data. So that's one way. But then we also saw a lot of targeting through non-conventional ways, right? We think of email as being one of the main vectors, it still is. But we saw a lot of corporate systems being impacted because they were being dual use, right? So you had folks that were downloading Fortnite, free VBucks packages, which happened to have InfoStealers. I don't remember which specific case, but, you know, there was one recently where that's how the credentials were gathered, was on a corporate system, they were running a cheat, I think for Fortnite or some other game, and that infected the system and siphoned out the credentials. So we talk about the human element. I think this is a very easy thing to point to, because it's not just, you know, what's coming in and I have to be, you know, studious in terms of looking at what's in the email, what's the qualities of the email. Social engineering is more than that too, right? We also see ClickFix as being another vector that's been growing. So for those who don't know, ClickFix is a fake CloudFlare type turnstile where it will show you a CloudFlare prompt saying you need to prove you're human by copying and pasting this command into your terminal. And basically what that command does, goes and fetches malware, downloads, and it executes in your system. So for a user, they think they're just going through and validating that they're human, right? CloudFlare is well known, you've seen different types of CAPTCHAs over the years, so it just kind of falls within that, oh, I just have to go through this, they're trying to stop AI bots, what have you. But, you know, it's once again, you're kind of taking advantage of our trying, either not being familiar with how this technology works. I remember I told my friend who works for the state, and he said, well, this is one of the new attacks. And he's like, people fall for that? They're literally copying. I'm like, yeah, it's, you know, it's a simple prompt. It's two, it's control C, control R, right? And it just, it runs and they go on their day. Like it's convincing for, you know, a non-technical person. So yeah, he is definitely, he's like, well, I guess I got to go tell my users to be a little more cautious around that. Yeah, it's something that we've seen a lot over the past year also. And that's why we've included this actually as part of our simulations, as part of our training, right? It's type of landing page that we have after a phishing simulation that is, replicates this quick fix technique with fake capture, fake code flare, as say fake browser update. Also we have this, you know, we've seen quite a few of these landing pages that say, hey, your browser is out of date and you need to update it. And it's the same thing, you know, control C, control R, control V. So of course you can do regular training, but I think the best way to make people aware that it exists and and get the reflex of recognizing the next time is to actually also simulate it as part of your phishing simulation program. Absolutely, Maxime. And one of the things I would just piggyback on that is that I think that it's really an indictment of a, just a training program that is just done via email phishing simulations, right? You need to expand and do so much more. You need to recognize that the attackers are using all kinds of different avenues, whether it's SMS, smishing, the attacks that we've talked about now, you have to really come with a holistic approach to training and providing kind of human risk management to your organization that really stays up to date with what are the latest attacks are. 100%, right? And it's, you know, it's complicated because it's also about, you know, almost like the accessible use of systems, right? So one of the things that we saw with InfoStealers is that there was a lot of corporate data on non-corporate managed devices. So you have people that were logging in, saving their logins on their personal system, and then that system was getting infected and the organization didn't know that all of a sudden their credentials got siphoned off to InfoStealers, right? So it's really about communicating, you know, to users good hygiene in terms of, you know, what is trust? What are the things we should be trusting? Where should we be logging into? And just because a pop-up comes up from a page you visited a hundred times doesn't necessarily mean that that is a trustworthy, you know, message, right? Just because this website Just because this website about your local Dachshund breeders about your local Dachshund breeder... all of a sudden has a cloud flare prompt, you've been there a hundred times, it doesn't mean that this is an actual part of that website, right? So there's a lot of nuance that we have to teach folks. And that's a perfect segue actually to the next area we wanted to look at. So human element has always been a large part of breaches, right? 62% of all our breaches involve some level of human element, right? Rather a user falling into social engineering or password practices, right? These types of things. It's a very common element in these breaches. Has been pretty much since day one, 19 years ago. And if we're here for another 19 years, I have a feeling it's still gonna be the case. But one of the areas that we were really interested and have been interested in is trying to nail down the click rate. So that's something we've been looking at pretty consistently, I think for the last five or six years is, okay, we have education programs, which is why it's a fantastic opportunity here to be talking with you guys about this. But we find that the median success rate for these email attacks tend to be like around 1.4%. So 1.4% of users within a campaign will typically fall victim to one of these simulated attacks. However, when we're looking in terms of attacks or campaigns that are targeting mobile devices, it's 40% higher, right? So it's 1.9, almost 2% of users will fall for these mobile centric types of attacks. And we've seen that, right? And of course we see it every day. How many different types of weird text messages do we get, right? Either as phishing or just kind of the random, hey, I'm in your neck of the woods, Sandra, wouldn't you like to meet up? Types of email. And of course, we as cybersecurity practitioners are aware to be cautious of any unsolicited text messages. But for defenders, mobile devices represent also a more complex thing to defend, right? Text messages are one thing, how about voice calls, right? And we've seen attackers shift into more complex types of attacks, right? Using once again, pretexting. So there's an existing context that they can leverage. Two of the examples that we've been seeing is, they have access to a user's credential, but it has MFA. So they'll go and then they'll try to work with the IT help desk to reset their MFA. Oh, I lost my phone, can you help me reset it? Here's all the information, right? And that worked for a while, and then we started making sure that IT help desk realizes some of the techniques these attackers are using. Now they're going after users. So they'll set up users with an email blast. So all of a sudden this user is receiving hundreds and hundreds of spam emails going through. They're panicking, they're freaking out. All of a sudden they get a team invite, claiming from someone to be from help desk, right? And they're saying, hey, I noticed you're having some issue. Let me hop on your computer and let's do some screen sharing and I'll try to troubleshoot this. And user of course panicking will allow this third party, external organization to connect in and they can proxy their attack through that victim. So there's a lot of complexity, especially with some of the mobile centric social engineering. And especially as we have a lot of more ways to be communicated with, which is important for a remote workforce. We just have to make sure we teach folks that if someone's sending an invite to teams, right? That they might not be internal to your organization or as organization you don't allow people to send invites. Right, there's always some configuration or something that kind of help as well to protect some of this stuff. Phil, I think that's well said. And I think that it ultimately comes down to sort of a trust and awareness issue. You need to teach your people to be cognizant and recognize these types of attack. What seems out of the ordinary? What is unusual? I thought I was the only one that was getting those text messages that you mentioned Phil earlier today. But no, it's recognizing what seems out of the ordinary and being able to have a culture. And I think the key word is a culture of safety or a culture of cybersecurity, to know that it's okay to stop and to report and to ask questions of, is this real? Is this legitimate? Talking to a colleague rather than just sort of acting on your own. I think that's when sort of mistakes get made. Maxine, how about you? What do you think on this topic? I think it's really interesting to have this data about the higher success rates or success rates for criminals, not for end users with this non-mobile, non-email vectors. We see a strong pull from our own customers and all the organizations we talk to about smishing and vishing and deepfake because they've seen or been the victim of shiny enters, lapses, scatter spider, those groups who have made the news with their attacks on help desk and extra. And to me, it's something that makes a lot of sense considering that I do believe that click rates on phishing simulation has been going down over time, right? We've had some success. It's good news, right? We've managed to lower the click rates on phishing overall. But so people are getting better and better at spotting phishing emails, but that means that hikers, right, as always, they adapt, right? And they move to new communication channels. That's why they move to SMS. That's why they move to phone calls, to Teams. So the attack surface has basically started to shift towards these channels. Most social engineering attacks, as you pointed out in the report, they're still happening via email, but the attacks via other channels have higher success rates for scammers or can lead to worse consequences, have more impact. And we see this in our data also at Oxfam. Typically, the first time we do a phishing campaign for a customer, a phishing simulation campaign, the click rate is actually much higher than what we see on the email, the average email simulation rate. But the good news is that regular simulations over this new channel, right, whether you do SMS or Teams, very quickly improve things, right? Because people are already used to the thought process that reflects the habit of questioning something that is unexpected, that seems weird. It's just that when it comes through a new channel, well, that's surprising. That's maybe you don't think initially about this, you know, muscle memory that you've built for email. It doesn't necessarily translate right away when it's an SMS or a phone call. So the click rate is higher the first time, but it goes down quite quickly as people just understand that whether it's an email, an SMS, a phone call, Teams, it's actually kind of the same steps that you need to take, right? Try to both understand, does it create a strong emotion? Is the sender recognized, right? All those type of things, and then verify and report. Yeah, absolutely, right? It's the importance of the process too, right? I think it's an issue when we're looking at things like business email compromises, right? Where they're trying to, you know, as well as having a sense of urgency, trying to bypass the process. So I was having a, I did a panel with folks who are, you know, they manage large pension funds and things like that. So moving money is what they do day to day, right? This is their business process. And they're like, oh yeah, we have a defined call tree where if any type of request comes, you know, these are the people we have to go through and we have to go through and use, you know, a last known phone number, right? That we have confirmed. So even if they're sending, you know, oh, can you update with my, you know, blah, blah, and they change the signature block with different phone numbers, because that's what they do as well. There's already an existing database that says, okay, this is what we have to do. So there's the importance of the process within the organization, but then also exactly like you said, the critical thinking and taking that extra step back and being like, okay, you know, what are the implications? You know, can I trust the sender? What are they trying to get me to do? You know, just that pause can make a huge difference. Yeah, Phil, I think that, so the DBIR, one of the things that it lists is that culture that supports and enables secure behavior can be a foundational control. And I think that's kind of what you're summarizing here. Tell us a little bit about that editorial choice and kind of how you see that as an overarching narrative throughout the report. Yeah, so the culture element, I think, dates back to, at least for me, right? Each of our authors, there's four of us, have a different perspective and different history. For me, I don't come from an IT background. I come from a critical infrastructure background. And as part of critical infrastructure, right, we were specifically looking in terms of environmental impact, terrorism, you know, physical security, theft, all these kinds of different threats, right, that might impact the functioning of critical infrastructure. And you quickly realize these are all kind of their individual expertises, right? They have their own individual priorities. Cybersecurity is one of them, right? And that, you know, I think there's sometimes a sense of strong ownership of IT, but cybersecurity is but one risk an organization has to manage and has to mitigate and has to navigate. So we really kind of try to promote the importance of culture, right? Being able to be a trusted advisor to help the business, because we all work and operate here at the behalf of a business trying to do something, whether that's critical infrastructure, or that's, you know, you're the local Dachshund rescue. You're trying to achieve something. So you don't want it to be an adversarial relationship. And I think sometimes we've gotten a little bit of the hacker chip on our shoulders, right, where we do have a strong understanding of technology, where there is, you know, for us, a clear answer, right? We know what needs to be done, but knowing isn't really what necessarily gets things done. So we have to be able to kind of understand our role within the corporate culture, and really, A, be a trusted source of expertise, and also be someone that people aren't, you know, fearful of connecting to. I don't think anyone's been enthusiastic about, oh, yay, I get a security, or, oh, yay, I have to report this, right? So there's kind of this fine line that we have to walk as security practitioners, where, you know, we clearly have an important job to do, right, not negating that, but we also have to put it within the larger context of the business. And I think that really helps get buy-in, especially from leadership. And now, I think, is a very unique opportunity with change in technology. I think, once again, technology has become really the forefront of what a business needs to implement. So this is really kind of a unique opportunity for cybersecurity to also step up and be like, oh, this is how we do it, or this is how we can do it in a way that is safe, and that we can kind of, you know, verify we have maintained ownership over things that are important to the business. Maxime, you've run global security programs at scale. What are your take on building a culture of cybersecurity and how that resonates today, maybe more than ever? Yeah, I really like what you say, the feel on, you know, we need to make also security engaging, right, not just scary thing, not just technical. It's how do we make it, well, important, of course, first, but not just important, something that people generally want to do, can maybe actually even get excited about, right? And maybe I set the bar very high, but that's what I want to achieve, right? I want people to really feel positively about security, feel like it's something that is not only important, but that they can do and that they want to do. And that's the culture of security, right? It's not just about pushing rules and policies and processes because they're important, but it's also about how can we change the attitudes, the perceptions around our team, around the topic, right? So that people generally feel that this is something that they want to engage with and do. And I really like that, yeah, as David, you said, that's something that you put into your list of fundamentals, right? In the executive summary, on the introduction, very early on in the report, and it's not the first time because we don't address this human element, this 62% of breaches. I use this number many times as a security practitioner, also to make the point of why this matters. And we can't address it with just an annual compliance training, right? We need to do more than this. We need to work on culture. We need to work on behaviors. And maybe one question that I want to ask you, you partly answered this, Philippe, by saying that we need to work on culture, but based on the data that you collected, what would be your top recommendations maybe today maybe today to security wellness practitioners? Overall, I think it's really getting a sense as to what are the business needs, right? Because we're, once again, I think we're at an inflection point. And I'm a person that tends to be a little reserved with some of these predictions about technology, but, you know, shifts in technology is normal. But this is an important inflection point that we have to understand what are the business needs. So understand what you're trying to protect, I think, is really a key thing, right? Risk management is, I think, really foundational in some degree, right? We can't just secure everything, right? I used to work with the technical folks that wrote the benchmarks, right? Secure configurations. And they would tell me, I don't believe in a secure operating system. It doesn't exist. You can go turn everything off, put it in a safe, launch into the ocean, right? That system I'll consider secure. Well, okay, that's not what a business needs. So there's that interplay, right? What's the needs of security? What's the needs of the business? So I think that's really important from a technical standpoint, right? Importance of security awareness, obviously, I think is, we drove that home. There's still some very foundational technical controls. MFA, I think, is still undervalued. We found organizations still had a lot of administrative accounts on their cloud platforms without MFA, right? These major type of mitigations that people are still not adopting. So there's the importance of the technical controls, then also understanding the business context. And I think that's really where we need to make sure security aligns to. Thank you, Philippe. And if I have to reiterate too, also, and maybe David, you will have one also to conclude. But you said, if I would have two things that are out of this report, it would be first, go talk to your vulnerability management team. And not only, as you say, maybe with the vulnerability management team, but also with the people who are actually patching, doing the patching to understand what are the blockers, how we can help them. So that would be number one. And the number two would be, think about how to train outside of email when it comes to social engineering, right? And training through different channels and training different audiences, right? Focusing, for example, on the IT support, the service desk, based on all the attacks that we've seen in the past. Or other groups, HR, finance, right? It's not a one size fits all. So how do we develop our social engineering training program to be through several channels and for several different groups? I was going to ask the panel here, I was going to say, what is one thing that you want folks who are listening today to maybe make one change to their program? I think we've talked about this quite a bit in the last three minutes. But I'll talk about one. If I were leading a global cyber awareness program, which I have in the past, I would say to make continual adjustments, right? If something isn't working, feel free to make the change, right? We often set goals at the beginning of the year, but things change, right? We're seeing the rise of Gen AI attacks. We're seeing the rise of phishing kits. If something is changing in the market, you should adjust the way that you train your users. And only through that can you really become a group that cybersecurity is the group of no to the group of how. I love, Maxime, what you said of making cybersecurity a fun topic. Make it engaging, make it welcoming, make it something that people want to get involved in, not something that's scary or in the dark. Maxime, Philippe, any final thoughts on summarizing this, summarizing this conversation? I know it's been a full hour here. Yeah, yeah, absolutely. So once again, a huge thanks to folks for collaborating with us. We really can't write the report without individuals from the community willing to spare their expertise, data, and time to help us write this report. So if folks are interested in the full report, you can download it. There's free, there's absolutely no cost. You don't even have to provide an email address. We're always available at this email address at dbir at verizon.com. And lastly, we have a new report that's coming out, which is going to be looking specifically at the impacts of data breaches. So for anyone that does anything pertaining to risk management, this is one that's probably worth checking out as we're trying to nail down a specific numerical value in terms of how much does it cost for different types of incidents. So once again, huge thank you so much for the fine folks at Hawks Hunt for having me and hope everyone has a good day. Yeah, Philippe, thank you so much. This is exactly the type of conversation that a report like this deserves. Finding the signal in all of the noises and figuring out what we do about it, not just how we talk about it. Thank you again. Thank you, Maxime. Thank you, Philippe, for joining us today. Until the next time we meet, I'm David Bedanes from Hawks Hunt signing off. Thanks, everybody. All right. Thank you. Thank you, Ben. Thank you.