Last week, I highlighted the Methods of Attack data from the Verizon Business 2009 Data Breach Investigations Report. Today, I would like to discuss an equally important finding they reported about Attack Vectors (page 18).

The surprise is that only 10% of the breaches were traced to network devices. And network devices represented only 11% of the actual records breached. The top vector was Remote Access and Management at 39%. Web Applications came in second at 37%. Even more interesting is that 79% of all records breached were the result of the Web Application vector!

Clearly there has been a major shift in attack vectors. While this may not be a total surprise, we now have empirical evidence. We must focus our security efforts on applications, users, and content.