The new Verizon Data Breach Investigations Report (DBIR) was just released, and while there’s a lot in it about AI, ransomware, and evolving threats, one thing really stood out to me: Most organizations still aren’t losing because of some futuristic movie-style cyberattack…they’re losing because attackers are getting faster at taking advantage of known problems while companies struggle to keep up with the basics.
According to the report, exploitation of vulnerabilities officially became the most common initial access method in breaches this year, passing credential abuse for the first time.
At the same time:
- Only 26% of known exploited critical vulnerabilities were fully remediated by organizations
- Median remediation time climbed to 43 days
- Organizations are dealing with significantly more vulnerabilities than they were even a year ago
Honestly, that probably doesn’t surprise most IT teams. There are simply too many systems, too many vendors, too many alerts, and too many moving parts for organizations to realistically patch everything immediately anymore.
The Problem Isn’t Just Technology
Visibility matters so much now. You can’t secure what you don’t know exists, and that includes retired equipment, old storage media, backup drives, forgotten hardware sitting in closets, or devices waiting to be recycled “eventually.”
One thing the DBIR reinforces pretty clearly is that attackers are taking advantage of operational gaps just as much as technical ones. The report also showed third-party involvement in breaches jumped to nearly half of all breaches analyzed this year.
That’s important because organizations today rely heavily on outside vendors, cloud platforms, service providers, and downstream partners. Every one of those relationships becomes part of your risk profile whether people realize it or not.
A lot of the examples Verizon discussed came back to pretty familiar issues:
- weak authentication
- poor credential management
- missing MFA
- excessive permissions
- lack of visibility into systems and access
None of that is flashy cybersecurity stuff. It’s operational discipline.
AI Is Speeding Things Up
The AI section of the report was interesting too. Attackers are absolutely using generative AI more now for phishing, malware development, vulnerability research, and automation. But the report also makes an important point: AI isn’t magically creating entirely new attack techniques yet. It’s mostly helping attackers move faster and scale existing techniques more efficiently.
That means organizations don’t necessarily need to throw out their entire security strategy overnight.
The fundamentals still matter:
- asset visibility
- lifecycle management
- patching
- access controls
- vendor oversight
- secure disposition processes
- documentation and chain of custody
Those things are still the foundation.
Where ITAD Fits In
This is also where IT asset disposition (ITAD) continues to overlap directly with cybersecurity more than some organizations realize.
When equipment leaves active use, the risk doesn’t automatically disappear with it. In many cases, retired equipment becomes harder to track, harder to manage, and easier to overlook entirely.
That includes:
- old laptops
- backup drives
- servers
- network equipment
- employee devices
- storage media
- unsupported systems waiting for disposal
The data, access, and compliance responsibilities tied to those assets still exist until the final downstream handling is complete.
That’s why organizations are paying closer attention now to chain of custody, downstream accountability, documented destruction processes, and visibility throughout the entire equipment lifecycle.
The Bigger Takeaway
The DBIR changes every year, but one thing stays pretty consistent: Organizations that stay disciplined with the fundamentals usually put themselves in a much better position than organizations constantly chasing the newest cybersecurity buzzword.
At SEAM, these are conversations we have regularly with organizations across the Midwest as they review IT asset disposition processes, vendor oversight, secure data destruction, and lifecycle management practices tied to retired technology.
If it’s been a while since your organization reviewed those processes, this report is a pretty good reminder that old assets and overlooked systems still create very real risk.
Levi Hentges is the Vice President / Development at SEAM. He helps clients build and manage their IT Asset Disposition (ITAD) programs to comply with legal, corporate and environmental requirements surrounding their technology devices; including asset recovery and resale, data destruction and secure electronics recycling.