Second, it might have been a statistical anomaly that the three organizations used in the report were not targeted by as many high-volume cases as were organizations in previous year. For example, the recent Epsilon data breach alone likely involved millions to tens of millions of records. Consult on a few Epsilon-scale cases and the record count goes up real fast.
Still, Verizon might be on to something. My favorite encompassing public data breach database, hosted by the Privacy Rights Clearinghouse, isn't throwing up huge numbers for 2010 as it did the previous years. A better metric would be total overall damage versus number of records, which some of the reports from other vendors do a better job reporting. Check out the CSI Computer Crime and Security Survey, for example. I think higher instances of APTs last year would have significantly pushed up the overall damage figures.
The Verizon report points to several other very interesting statistics. Some of my favorites include:
- The average time from compromise to data breach was minutes to days, not weeks or months (see report Figure 37).
- The average time between compromise and the victim discovering it was weeks to months.
- The average time from discovery to containment was weeks to months as well, including 2 percent that took years to never. I suspect this latter stat is far higher in the real world.
- Eighty-six percent of the time, the breach was discovered and reported to the victim by a third party (see report Figure 39), even though the breach probably could have easily been found by the victim if he or she had deployed normal detection systems. Sixty-nine percent of victims had event log evidence of the compromise (see report Figure 41).
- Only 8 percent of attacks required a high level of complexity (see report Figure 34).
- External agents were responsible for 92 percent of attacks and 99 percent of data breaches (see report Figures 7 and 12).
- Insiders were involved in 16 percent of all cases; the crossover with the 92 percent external agent figure is due to collusion.
- The role makeup among internal attackers was as follows: 85 percent were normal end-users, 22 percent were accounting or financial staff, 11 percent were management, and only 9 percent were IT related.
One thing hasn't changed over the years since the first report was issued: The number of incidents could have been detected early on but were not because the victims were not doing the fundamentals of IT security better. If I were an IT manager or security officer, I would focus on doing all the things we should have been doing for a decade or longer, better.
I strongly recommend that you download and read the report. It's chock-full of facts that should prove useful as you argue your case for better security to senior management.
This story, "Drop in hacked records points to craftier attacks, not better security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.