Fresh internet news from the world
Provided by AGP
CIS Controls and MS-ISAC Insights Featured in Verizon’s 2026 Data Breach Investigations Report
Findings from 22,000+ breaches reinforce the critical role of prioritized safeguards and shared intelligence as vulnerability exploitation rises
CLIFTON PARK, NY, UNITED STATES, May 19, 2026 /EINPresswire.com/ -- The Center for Internet Security, Inc.® (CIS®) today announced that the newly released 2026 Verizon Data Breach Investigations Report (DBIR) highlights the importance of the CIS Critical Security Controls® (CIS Controls®) and incorporates operational metrics from the Multi‑State Information Sharing and Analysis Center® (MS-ISAC®).
Now in its 19th year, the Verizon DBIR analyzed over 31,000 security incidents and 22,000 confirmed data breaches spanning 145 countries, offering one of the most comprehensive views of the global threat landscape. The report reinforces the value of prioritized, community-developed best practices and shared threat intelligence in reducing cyber risk across public and private organizations.
According to the 2026 Verizon DBIR, exploitation of vulnerabilities has become the most common initial access vector, accounting for 31% of breaches, while credential abuse has declined to 13%. At the same time, only 26% of critical vulnerabilities were fully remediated in 2025, and the median time to resolution increased to 43 days, highlighting the continued need for organizations to implement foundational security measures that address the most common and exploitable attack paths.
“The 2026 DBIR makes clear that attackers continue to prioritize the most reliable paths to compromise, such as exploiting unpatched vulnerabilities, leveraging compromised or weak credentials, and scaling social engineering with speed and efficiency,” said Phyllis Lee, Vice President of CIS Security Best Practices Content Development. “Organizations that focus on proven, prioritized security controls and timely remediation are better positioned to reduce risk and disrupt these common attack patterns.”
The report also includes insights from MS-ISAC data, reflecting CIS's unique visibility into threats targeting state, local, tribal, and territorial (SLTT) government networks. Among notable trends, ransomware continues to rise – now present in 48% of breaches – while 69% of victims declined to pay, underscoring both the persistence of attacks and improving resilience among organizations.
“Exploitation of vulnerabilities continues to outpace defenders’ ability to remediate them, and the findings in this year’s report reinforce what we see every day across state, local, tribal and territorial networks,” said TJ Sayers, Senior Director of Threat Intelligence for the MS-ISAC at CIS. “The inclusion of MS-ISAC data in the Verizon DBIR highlights the critical role of shared intelligence in identifying real adversary behavior and strengthening collective defense.”
The report further highlights emerging risks tied to evolving technologies and attack methods. Threat actors are increasingly leveraging generative AI to support activities such as phishing, vulnerability exploitation, and malware development, while “shadow AI” usage within organizations is contributing to data exposure risks. Additionally, third-party involvement in breaches has grown to 48%, reflecting the expanding attack surface as organizations rely more heavily on external providers.
The CIS Controls are a prioritized set of cybersecurity best practices developed by a global community of practitioners. Their inclusion in the 2026 Verizon DBIR highlights their ongoing relevance as a practical, effective roadmap for organizations seeking to reduce risk and improve cyber hygiene.
“With vulnerability exploitation on the rise, increasing reliance on third-party software, and continued growth in ransomware, the 2026 Verizon DBIR once again validates the importance of implementing prioritized, evidence-based safeguards,” said Curtis Dukes, Executive Vice President and General Manager of Security Best Practices at CIS. “The CIS Controls continue to provide organizations with a clear, actionable path to defend against the most prevalent threats.”
The MS-ISAC, operated by CIS, provides 24x7x365 threat intelligence, monitoring, and incident response to state, local, tribal and territorial (SLTT) governments at no cost. Its data in the DBIR reflects real-world adversary behavior and the scale and persistence of threats facing public-sector networks.
CIS will continue working with partners across government, industry, and the global cybersecurity community to advance the adoption of the CIS Controls, strengthen SLTT resilience, and expand the impact of shared intelligence.
For more information about CIS, the CIS Controls, or the MS‑ISAC, visit cisecurity.org.
###
About CIS:
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks®, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit CIS or follow us on X: @CISecurity.
Kelly Wyland
Center for Internet Security
+1 518-256-6978
email us here
Visit us on social media:
LinkedIn
Instagram
Facebook
YouTube
X
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
