Verizon Data Breach Report: Everyone Is Vulnerable
In an effort to gain further insight into the ever changing landscape of data breaches, Verizon has released a report, covering 50 global organizations, 1,367 data breaches, 95 countries and 63,437 security incidents in 2013. The report (available for download) provides a month-by-month breakdown of breaches and security threats across the year.
The report is dominated by retail-centered attacks (earning 2013 the distinction of “year of the retail breach”), but also provides industry specific insight, highlighting important statistics that are not apparent with a high-level look at data breaches as a whole.
The 18 industries covered include transportation, government, healthcare, manufacturing, and retail. Many results are also broken down by enterprise size (small, large, and unknown).
The report’s breakdown of victim demographics highlights some important trends — most notably, large organizations’ increased risk of data breaches as compared to their smaller counterparts. This appeared to hold true for most sectors. When looking at reasons for breaches though, the study revealed a stronger propensity for smaller organizations to suffer breaches because of loss, highlighting opportunities in this area for more focus from solutions providers.
As expected, sectors with common practices of storing customer payment or financial data skewed higher in terms of victim count, but no industry was immune to the threat of breaches. As the report states, “everyone is vulnerable to some type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data.”
Origins Of Threats
This section is particularly heavy on (some very useful) visuals. A chart on partner, internal and external threats shows a quadrupling in the last category from 2009 to 2013. That same time period is broken down into threat actor reasons for attack, and reveals similarly sharp increases among financial motivations, espionage, and threat actors motivated by ideology/fun.
Some of these increases are explained by changes in the sample set; however, 2012 also saw innovations in the tools available to threat actors — i.e., more sophisticated automated attack tools and DIY malware kits.
Threats are broken down in the report by both type and asset category, but perhaps the most interesting part of this section is on page 12, where the differences in the times needed to complete an attack, and the time lapsing before a breach has been detected, are compared. The most notable takeaway from this chart is that the majority of attacks (75 percent) require less than a day to execute, while detection of only a few (25 percent) happens in that same time period.
Results and Analysis
The results of the report fulfill Verizon’s promises from the previous year’s report to narrowing attacks down to a handful of types. A set of nine basic patterns can be used to describe 95 percent of breaches:
- POS Intrusions
- Web App Attacks
- Insider Misuse
- Physical Theft/Loss
- Miscellaneous Error
- Card Skimmers
- DoS Attacks
The report provides helpful visuals, illustrating shifts in the classification patterns over time, by both count and percentage (page 14).
Perhaps the most useful chart (Frequency of incident classification patterns per victim industry), however, breaks the nine categories down across the 18 industries, highlighting quite clearly, areas where industry focused solutions providers have opportunities to focus their attention. For example, while the physical theft/loss category presents lower threat across the board, when broken out for healthcare, it becomes apparent that this is by far the biggest threat of data breaches in the industry. A similar point is revealed in relation to cyber espionage and its impact on the manufacturing sector (30 percent frequency).
The report then continues with a breakdown of statistics by the nine pattern-categories, each outlining discovery methods, types of at-risk data, discovery timelines, and most importantly, recommended controls.
An additional insight that solutions providers might find useful, is the chart, “Prioritization of critical security controls by industry” (page 50). This provides a clear look into any gaps industries might have between where their biggest threats lie, and where entities within the industry are placing the most effort. Solutions providers looking to guide their present — and even future — clients into better targeted and more effective control solutions will undoubtedly find this section (and honestly, the report as a whole) to be a good jumping off point for client conversations around improved protection against data breaches.