A Tale of Three Breach Reports
One of the best and most comprehensive of reports, the annual Verizon Business Data Breach Investigations Report, slams home some really scary statistics for financial services, hospitality and other industries prone to data breaches. Its two top headlines: Organized crime was responsible for 85 percent of all stolen data in 2009. And stolen credentials were the most common way to gain unauthorized access into organizations.
(For more on the Verizon Business report, by the way, listen to our exclusive interview with one of its principal authors, Wade Baker.)
When boiled down to the basics, each of these reports says the same thing: Expect a data breach.
Next, the first annual Cost of Cyber Crime Study" by the Ponemon Institute shows the enormous cost that data breaches have on victim organizations. This study doesn't look at types data breaches per se, but rather the costs. Web-borne attacks, malicious code and insiders are the most costly, making up more than 90 percent of all cybercrime costs per organization per year. An average web-based attack costs $143,209; malicious code, $124,083; and malicious insiders, $100,300. The report doesn't paint a rosy picture about the average length of time to resolve a data breach. An incident incurred by a malicious insider, for instance, takes an average of 42 days or more to resolve.
Then there is the aptly named report, The Leaking Vault - Five Years of Data Breaches from the Digital Forensics Association, which shows that of the 2,807 publicly disclosed data breaches worldwide over the past five years, the cost to the victims was $139 billion. The sectors studied in this report were business, government, education and medical. These areas on average lost 395,000 individuals' data every day. Those numbers work out to every person in the United States having their data breached not once, but twice.
Here's what stands out when comparing the Verizon Business and Digital Forensics Association reports:
Both reports agree that outside "agents" or criminals cause more harm and data loss than insiders.
Digital Forensic Association's report says stolen or missing laptops were the leading cause of data breach incidents. Verizon Business' report says data stolen off of servers made up 96 percent of its breached data. I think Digital Forensic Association's analysis is studying a much larger number of incidents, so this may be why they're seeing laptops at the top. Their report does say that hacking accounts for 45 percent of all the records taken.
On the insider threat, Verizon's report shows that 90 percent of the insider cases were result of "deliberate and malicious" activity. The Digital Forensic Association's report says when an incident involved insiders, it was more than twice as likely to have been an "accident." These two data points are going in opposite directions, but most of the insider cases I'm aware of are malicious and deliberate.
One interesting point that Verizon's report makes about insiders: If you look at past history, most insiders were cited in the past, prior to their incidents, for other minor forms of misuse.
Verizon's report sees no evidence that the economic conditions are causing people to steal data. I will bet my house, though, that next year they'll find a trend pointing toward economic failures, foreclosures and the poor economic conditions here and abroad are making some folks turn to the dark side.
When boiled down to the basics, each of these reports says the same thing: Expect a data breach to happen to your organization. Don't be surprised when it does happen; be ready; and have an incident response plan in hand to mop up when the incident does occur.
So ... are you ready?