Verizon Report on Data Breaches is a Depressing Page Turner

I get a lot of security reports from vendors and, although some of them are nonsense, the annual Data Breach Investigations Report from Verizon Business is always a must read. That’s because the results are based on first-hand evidence from Verizon, the U.S. Secret Service, law enforcement agencies in Holland, Australia, Ireland and London’s Metropolitan Police.

As a result Verizon looked at a lot of data: 855 incidents involving 174 million compromised records–an astounding increase compared to last year’s four million compromised records.

The report is filled with notable information and recommendations, so I suggest you read it for yourself. But here are some of the highlights.

First the good news:

• Company employees were less likely to be behind breaches–only 4 percent, down 13 percent from the year before.
• There were also fewer breaches involving physical attacks (10 percent of the total, a 19 percent drop) and social media tactics (7 percent, down 4 percent), and only 5 percent were caused by privilege misuse,  a drop of 12 percent compared to the year before.
• Bad guys still aren’t going after particular people–79 percent of the victims were targets of opportunity.

OK, now that we’ve got that out of the way, let’s move on. What comes next is damn depressing because it means organizations still don’t have a clue.

• Nearly all of the attacks–96 percent–weren’t highly difficult to pull off. While Flame and other cutting edge malware grab headlines, the real problem is still likely to be stupid passwords.
• 85 percent of the breaches TOOK WEEKS OR MORE TO DISCOVER (up 6 percent from the previous report). In cases involving intellectual property, 31 percent of the breaches TOOK YEARS TO DISCOVER. This is explained by the fact that:
• 92 percent of the incidents were discovered by third parties (also up 6 percent).
• 97 percent of the breaches could have been avoided by simple or intermediate controls, such as changing passwords regularly and using firewalls or access-control lists on remote access/admin servers.

This year Verizon also issued some industry-specific reports on finance and insurance, intellectual property, retail, health care, and accommodations and food service. In addition to reading the reports for your particular industry you’ll will benefit from reading the IP report.