14.5.19

Verizon’s data breach report: What the numbers say


What are some of the most interesting takeaways from Verizon’s latest annual security report?

Data breach, yawn. Those two little words that occur so frequently in the media and will have you switching off. Last week, Verizon released their 2019 Data Breach Investigations Report (DBIR) which provides valuable insight spanning across 86 countries and 41,686 incidents.
The executive summary of the DBIR articulates the issue perfectly in stating that “No organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack. Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it”.
Numbers speak volumes, so here are the highlights of the report:
·         69% of attacks are perpetrated by outsiders
·         39% of all attacks are perpetrated by organized criminal groups
·         23% of bad actors are identified as nation-state or state affiliated
·         43% of breaches involved small businesses victims
·         52% of breaches involved hacking
·         33% included social attacks
·         28% involved malware
Are there any numbers here that shock you? Probably not at first glance. So, let’s consider the 2nd tier of numbers: the DBIR finds that 34% of attacks involved an internal actor. That’s right, the person standing next to you at the coffee machine could be stealing company data or working with someone externally to steal company data.
On the inside
Two weeks ago, I attended the opening reception of a venture capital office in Silicon Valley. The fund focuses on cybersecurity companies, so, as you would expect, the interest of the attendees had a bias. One attendee was talking about an internal system using, in their words, “artificial intelligence” that the company had developed to profile employees on the probability that they could act negatively towards the company, for example steal data when leaving, or be part of a data breach or other activities that could be detrimental to the business.
Not all businesses have the resources, inclination or skill sets to profile employees in this way, or at least not yet. I am certain that within 10 years this will be a standard feature of a human resources system. The idea that employers may analyze every interaction that their employees have in the workplace will no doubt make many of us a little uncomfortable. It all feels too much like George Orwell’s book ‘1984’.
The interesting element is that a company has resorted to protecting itself from the human element, an issue that can evade cybersecurity solutions. I say ‘can’ as anti-phishing, data leakage prevention and such like do help protect from human mistakes causing incidents.
Meanwhile, financial gain is the most prevalent driver behind a data breach at 71%, according to the DBIR, as espionage came in second with 25%. This highlights that cybercrime is a business and can be very lucrative for those involved. If a data breach includes personal, credit card and CVC data, then the bad actors have a relatively simple opportunity to monetize their efforts.
What other stats say
Last week, ESET Asia Pacific (APAC) also released statistics, taken from 7 countries in the region with 2,000 respondents in each. There are some interesting similarities with 27% declaring a data breach was due to malware, compared with the DBIR’s 28%. Here are the takeaway numbers from the survey:
·         58% of respondents in APAC experienced a data breach in the past 12 months
·         27% suffered a “virus attack”
·         20% suffered a social media breach
·         19% had their personal data stolen and used
The survey also asked what actions a company should take once they are aware of a data breach:
·         32% said that the companies should apologize and inform customers what happened and how the problem was resolved
·         25% said that the companies should provide proof that the right systems were in put in place
Personally, I think companies should provide proof that the right systems were in place at the time of the breach and this was beyond their control. But then I have been the victim of a data breach in the last 12 months, and there is a blog post on its way later this month with more details.
Let’s conclude with a number of proactive steps that companies can take to tackle the issue of data breaches, including:
·         Limit access to company data to only those who need it
·         Patch and update software as soon as possible
·         Secure systems with two-factor-authentication (2FA)
·         Encrypt data in transit and at rest
·         Keep a watch on the threat from inside
·         Educate employees on the risk and how to be vigilant
·         Implement effective security solutions