The Agency Insider with Linda McGlasson

A Tale of Three Breach Reports

A Tale of Three Breach Reports

This week a trio of reports came out on data breaches. Talk about information overload! I decided to take a look at these reports to compare commonalities and distinctions.

One of the best and most comprehensive of reports, the annual Verizon Business Data Breach Investigations Report, slams home some really scary statistics for financial services, hospitality and other industries prone to data breaches. Its two top headlines: Organized crime was responsible for 85 percent of all stolen data in 2009. And stolen credentials were the most common way to gain unauthorized access into organizations.

(For more on the Verizon Business report, by the way, listen to our exclusive interview with one of its principal authors, Wade Baker.)

Next, the first annual Cost of Cyber Crime Study" by the Ponemon Institute shows the enormous cost that data breaches have on victim organizations. This study doesn't look at types data breaches per se, but rather the costs. Web-borne attacks, malicious code and insiders are the most costly, making up more than 90 percent of all cybercrime costs per organization per year. An average web-based attack costs $143,209; malicious code, $124,083; and malicious insiders, $100,300. The report doesn't paint a rosy picture about the average length of time to resolve a data breach. An incident incurred by a malicious insider, for instance, takes an average of 42 days or more to resolve.

Then there is the aptly named report, The Leaking Vault - Five Years of Data Breaches from the Digital Forensics Association, which shows that of the 2,807 publicly disclosed data breaches worldwide over the past five years, the cost to the victims was $139 billion. The sectors studied in this report were business, government, education and medical. These areas on average lost 395,000 individuals' data every day. Those numbers work out to every person in the United States having their data breached not once, but twice.

Here's what stands out when comparing the Verizon Business and Digital Forensics Association reports:

Both reports agree that outside "agents" or criminals cause more harm and data loss than insiders.

Digital Forensic Association's report says stolen or missing laptops were the leading cause of data breach incidents. Verizon Business' report says data stolen off of servers made up 96 percent of its breached data. I think Digital Forensic Association's analysis is studying a much larger number of incidents, so this may be why they're seeing laptops at the top. Their report does say that hacking accounts for 45 percent of all the records taken.

On the insider threat, Verizon's report shows that 90 percent of the insider cases were result of "deliberate and malicious" activity. The Digital Forensic Association's report says when an incident involved insiders, it was more than twice as likely to have been an "accident." These two data points are going in opposite directions, but most of the insider cases I'm aware of are malicious and deliberate.

One interesting point that Verizon's report makes about insiders: If you look at past history, most insiders were cited in the past, prior to their incidents, for other minor forms of misuse.

Verizon's report sees no evidence that the economic conditions are causing people to steal data. I will bet my house, though, that next year they'll find a trend pointing toward economic failures, foreclosures and the poor economic conditions here and abroad are making some folks turn to the dark side.

When boiled down to the basics, each of these reports says the same thing: Expect a data breach to happen to your organization. Don't be surprised when it does happen; be ready; and have an incident response plan in hand to mop up when the incident does occur.

So ... are you ready?

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.