The DBIR finding has direct implications for how organizations justify and resource their security programs: the dominant breach entry point is now a technical failure that perimeter spending alone cannot solve, placing patch management operations — historically underfunded and understaffed — at the center of enterprise risk. For sectors with regulatory breach notification obligations, exploitation-based breaches can be harder to detect and scope than credential-based incidents, extending the time to discovery and increasing the magnitude of potential regulatory exposure. Organizations that have not formally assessed their external attack surface and mapped it against the CISA KEV catalog are likely carrying unknown material risk that their current controls posture does not address.
You Are Affected If
Your organization operates external-facing systems (VPNs, firewalls, web application servers, OT/ICS remote access gateways) with open CVEs, particularly those on the CISA Known Exploited Vulnerabilities catalog
You operate in critical infrastructure sectors explicitly called out in the DBIR: energy, water, healthcare, manufacturing, transportation, or communications
Your patch management program uses CVSS base scores as the primary prioritization signal and does not yet integrate CISA KEV status or EPSS into remediation SLAs
Your EDR and network monitoring coverage does not extend to edge devices and network appliances — common blind spots where T1190 exploitation occurs outside endpoint agent visibility
Your security posture relies heavily on identity controls (MFA, SSO) as the primary breach prevention mechanism, without independent network segmentation and lateral movement controls as a fallback
Board Talking Points
For the first time in 19 years of Verizon's breach data, attackers are more likely to break in by exploiting an unpatched software flaw than by stealing a password — meaning identity investments alone no longer address the leading threat.
Leadership should direct a formal review of all external-facing systems against the CISA Known Exploited Vulnerabilities list within 30 days, with a mandate for remediation or compensating controls on any match.
Organizations that do not accelerate patch management for external-facing systems face increasing probability of a breach that bypasses existing perimeter and identity controls entirely, with no current detective control to catch it.
NERC CIP — Critical infrastructure operators with bulk electric system assets are directly referenced in the DBIR findings; exploitation of unpatched external-facing systems implicates CIP-007 (Systems Security Management) patch management requirements
HIPAA Security Rule — Healthcare organizations with unpatched external-facing systems face elevated breach risk; exploitation-based initial access triggering a PHI breach activates HIPAA breach notification obligations under 45 CFR Part 164
CISA BOD 22-01 / KEV — Federal civilian executive branch agencies and operators voluntarily adopting KEV remediation requirements face direct compliance relevance given the DBIR's exploitation-as-top-vector finding
