The 2013 Data Breach Investigations Report was recently released by Verizon. Following up with our discussion of the previous year’s report, the report attempts to provide insight into the nature of data breaches to help with organizational planning.
The 2013 report looks at 621 confirmed data breaches affecting more than 44 million compromised records. The report explores more than 47,000 security incidents experienced from 19 organizations spanning across 27 countries. As with previous reports, the established threats continue to plague organizations, so shouldn’t be ignored. The report shows that assets are the most at risk (laptops, desktops and servers) not applications, so IT security focus shouldn’t entirely shift focus to new risk vectors.
Highlights from the report:
- 69% of breaches were spotted by an external party
- 76% of network intrusions exploited weak or stolen credentials
- 75% of attacks are opportunistic (read the report for a good breakdown of activists vs criminals vs spies)
- Social engineering attacks are up and more targeted to specific individuals, often using phone calls and social networking to bypass email filters
- 55% of attacks are from profit-driven criminal groups
- Laptops represent 22% of the most vulnerable assets in an organization
- Internal data breaches are most often caused by customer service (46%), end-user (17%) or administrators (16%)
- Data breaches took longer to discover in 2013: 66% took months or years, a figure up from 56% in 2012
- In 85% of data breach incidents, organizations could not determine the full extent of the breach
There are many data breaches that are avoidable. Many are the result of unintentional human error, as Verizon notes:
“It’s not just elaborate actions that have serious implications. While most breaches are deliberate, many involve an unintentional element. Taking information home, copying data onto a USB drive, attaching the wrong file to an email or sending it to the wrong person, or leaving a laptop in a cab can all lead to a data breach.”
Though there are more attacks by outsiders, what happens as the result of insiders can be just as damaging. Insiders may not be maliciously causing harm, but careless actions can have huge consequences. Data breach prevention should not only focus on the unknown, but on the education of employees, on user access controls and GRC of the endpoint. Read additional recommendations in the full report here.