Home > Risk > Understanding data breaches 2020

Understanding data breaches 2020

For 13 years, Verizon has shared their Data Breach Investigations Report. The 2020 edition is now available.

As usual, it contains some interesting information:

  • Only 70% of breaches were by external actors.
  • Organized crime was behind 55%.
  • Nation states, sysadmins, and end users were each behind about 10% of the breaches.
  • 22% included social attacks (pretexting and phishing), 96% of the time by email. 1% by phone or SMS.
  • 17% involved malware; 27% of malware was ransomware.
  • 8% was from misuse by authorized users.
  • Partners were involved in 1%; multiple parties were also involved in 1%.
  • 81% were contained in one day or less [a massive improvement from what I have read in the past].
  • 72% of the victims were large businesses.
  • 58% of victims had personal data compromised.
  • 20% of breaches take months to be discovered, a significant improvement from prior years
  • Of the 108,069 breaches and 157,525 incidents reported to Verizon, more than 100,000 breaches “were credentials of individual users being compromised to target bank accounts, cloud services, etc.”
  • There were 25,029 incidents involving organizations where they could identify the industry category. 7,463 (30%) involved professional organizations, 6,843 (27%) were of public organizations, and 5,471 (21%) were information industry related.
  • Of the 3,262 breaches involving organizations where the industry was known, 521 (16%) were in healthcare, 448 (13%) in finance.

Unfortunately, there is next to no information on the extent of damage caused by the incidents. The top part of Figure 32 seems to indicate that very few exceed $100,000. However, the report says that “In 2019, the Secret Service prevented $7.1 billion of cybercrime losses and returned over $31 million in stolen assets to victims of fraud”.

The report has some fascinating detail that should be of great interest to infosec practitioners.

I keep coming back to the issue of whether data breaches are as significant a ‘risk’ as people make out. All of the studies point to small losses among a few massive ones that hit the headlines.

I suggest that every organization consider:

  • If we have a breach, how is it likely to affect the business and how it is run? Consider that there may be a single breach or a sequence of breaches by the same people.
  • How great would the damage be?
    • In terms of dollar losses?
    • In terms of impacting our ability to meet business objectives?
  • How likely is it to be so significant an impact that it merits board attention? Remember there is a range of potential impacts from minor to massive, each with its own likelihood, not a single point.
  • How much should the organization invest to prevent, detect, and respond to breaches – given the potential downside of a breach, the resources available for investment, and the opportunity to invest those resources elsewhere?

Cyber is a tough topic to translate from techie-talk to business-speak, from the concerns of the CISO and CIO to those of the CEO and the board. If you haven’t seen it, please consider my thought-provoking Making Business Sense of Technology Risk.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: