Verizon has released the Verizon Data Breach Investigations Report (DBIR). You can download the Executive Summary here and the full report here.
The DBIR analyzes data from 19 organizations — covering more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Because VZ has the cooperation of so many organizations, it provides a unique opportunity to analyze data. Although we do not know what percent of the incidents in their analyses overlap with the more than 1200 incidents compiled by DataLossDB.org for 2012, I find it fascinating to look at where the two organizations’ reports agree, and they do agree on numerous key findings – including the fact that most incidents involve external agents, not insiders, that over half of incidents involve hacking, and that breaches from the healthcare sector, while garnering much media attention, account for only about 1% of breaches. Their report is also consistent with RBS/OSF’s report indicating that most incidents do not involve particularly sophisticated attacks and most could be easily prevented. Verizon’s report, however, gives us a first harder look at state-sponsored attacks and other factors that RBS/OSF’s report does not address, such as their finding that approximately two-thirds of confirmed breaches involved data at rest or data being processed – and not data in transit. Worryingly, the majority of breaches take months to detect (and the problem got worse in 2013 compared to their 2012 data), and most breaches are not detected by the entity’s IT personnel.
So… how many times do we have to tell people to purge data that’s no longer really needed and to monitor to ensure that if you have policies in place to protect data on mobile devices, those policies are being implemented? DBIR notes – and most of us would agree, I think – that there is no one-size fits all in terms of protecting assets. Knowing the risks for your industry and type of data is critical.
Read their report for more details, and kudos to them for another fine report.