John Sawyer at Dark Reading gave a brief analysis of this report today and I agree with him wholeheartedly. This is some outstanding work, and I plan on using it going forward for executive summaries and risk analysis. The thing that jumped out at me the most was that most companies don’t know where their data is, or don’t WANT to know where it is. When I was trying to get my former employer to do something about all the CC# and SS#s they had in their various databases, the response was (in the beginning) covering up the ears and saying “Not listening! Not listening!”, and after that it was “Can’t someone just SHUT HER UP?”:
66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls
Nine of 10 breaches involved some type of “unknown unknown,” the most common of which was data that was not known to be on the compromised system. Most breaches go undetected for quite a while and are discovered by a third party rather than the victim organization. Attacks tend to be of low to moderate difficulty and largely opportunistic in nature rather than targeted. Due, in part, to these reasons, investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of attack.
The complete report can be found at:
http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Sawyer’s Blog:
http://www.darkreading.com/document.asp?doc_id=156296
