Home > Risk > Good news about data breaches

Good news about data breaches

Protiviti has shared a useful summary of the latest Verizon Data Breach Investigations Report (DBIR), which is available from Verizon here.

The good news was put well by Protiviti:

One of the surprises in this year’s report is that organizations are discovering 60 percent of data breaches in days or less and containing 80 percent of breaches in the same timeframe.

As Protiviti says:

Verizon highlights that this is due to more breaches being detected by managed security providers, and not necessarily an improvement of internal detection and containment capabilities.

The Verizon report has a wealth of detail but it is awkward to navigate. So I suggest reading the Protiviti summary first.

One of the Verizon points which is of tremendous importance, although it is hidden in the middle of the Results and Analysis section[1], is this:

Last year, we looked at the median impact cost for incidents reported to the FBI IC3. With regard to business email compromises (BEC), we noticed that most companies either lost $1,240 or $44,000 with the latter being slightly more frequent (Figure 32).

Also, last year we stated that when “the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all U.S.-based business email compromise victims had 99% of the money recovered or frozen; and only 9% had nothing recovered.” They continued to record that metric and this year it improved slightly, indicating that 52% recovered 99% or more of the stolen funds and only 8% recovered nothing.

They have this useful chart. It shows that the range of loss per incident was from below $1,000 to less than $200,000.

dbir_figure_32

One of the commenters on my last post stated that “cybercrime is the biggest risk facing most organizations today”.

That doesn’t seem to be borne out by the facts – neither in this nor in prior years.

However, it remains essential (as I said in the last post) for each organization to perform a careful risk assessment: what is the likelihood of a breach that is so damaging that it threatens the achievement of enterprise objectives?

Other points in the Verizon report include:

  • 45% of the breaches featured hacking
  • 22% were the result of errors
  • 22% involved social engineering
  • 55% were by organized crime
  • 8% were misuse by authorized users
  • 72% were of large businesses
  • 58% involved compromising personal data
  • 86% were financially motivated
  • Less than 20% were cyber-espionage
  • Around 10% was by state actors
  • 85% of victims and hackers were in the same country
  • About half of the incidents were discovered by 3rd party security providers
  • Another ~15% were identified by other 3rd parties

The report reinforces an opinion that I have held for several years.

If cyber is in fact a major risk and you simply cannot afford to have a serious breach, then you should very seriously consider using a 3rd party security service provider rather than hoping that you can handle this yourself.

This is an area where you need experts and experience as well as all the tools – and the flexibility to adapt to the changing threat landscape.

But if it is not such a serious business risk, recognize the hype and invest your scarce resources accordingly.

I welcome your thoughts.

[1] Perhaps because it undermines the value of their consulting business.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: