85% is a misleading figure
It's:
48% involved privilege misuse (+26%)
40% resulted from hacking (-24%)
38% utilized malware (<>)
28% employed social tactics (+16%)
15% comprised physical attacks (+6%)
So if a hacker uses malware it counts as a tick in both columns... unless I'm misreading the report