There is a lot of intelligence-gathering involved in the selection of targets by these espionage groups, Jacobs said. "We think that they pick the small organizations because of their affiliation or work with larger organizations."
In comparison to cyberespionage, financially motivated cybercrime was responsible for 75 percent of data breach incidents covered in the report and hacktivists were behind the remaining 5 percent.
One noteworthy finding of this report is that all threat actors are targeting valid credentials, Jacobs said. In four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim's network, he said.
This will hopefully start to raise some questions about the widespread reliance on single-factor password-based authentication, Jacobs said. "I think if we switch to two-factor authentication and stop being so reliant on passwords, we might see a decrease in the number of these attacks or at least force the attackers to change" some of their techniques.
Fifty-two percent of data breach incidents involved hacking techniques, 40 percent involved the use of malware, 35 percent the use of physical attacks -- for example ATM skimming -- and 29 percent the use of social tactics like phishing.
The number of breaches that involved phishing was four times higher in 2012 compared to the previous year, which is probably the result of this technique being commonly used in targeted espionage campaigns.
Despite all the attention given to mobile threats during the past year, only a very small number of breaches covered by the Verizon report involved the use of mobile devices.
"For the most part, we are not seeing breaches leverage mobile devices as of yet," Jacobs said. "That's a pretty interesting finding that's kind of counter-intuitive in light of all the headlines saying how insecure mobile devices are. That's not to say they're not vulnerable, but the attackers currently have other easier methods to get the data."
The same holds true for cloud technologies, Jacobs said. While there have been some breaches involving systems that are hosted in the cloud, they were not the result of attacks exploiting cloud technologies, he said. "If your site is vulnerable to SQL injection, it doesn't matter where it's hosted -- in the cloud or locally. The kind of breaches we're seeing would occur regardless of whether the system would be in the cloud or not."
The Verizon report includes a list of 20 critical security controls that should be implemented by companies and which are mapped to the most prevalent threat actions identified in the analyzed dataset. However, the level to which every company should implement each control depends on the industry they're part of and the type of attacks they're likely to be more exposed to.