Insights from the Verizon Data Breach Investigations Report
About a month ago, Verizon released its annual Data Breach Investigation Report (DBIR). The report is highly anticipated every year for those of us in the information security field. But to be honest, there are some takeaways for most people in the corporate world. Whether you are in IT, company management, HR or an attorney, you’ll find some nuggets of good information in this report. I’ll try to highlight some of the intelligence provided in the report and how it pertains to you.
The DBIR is a statistical look at cleansed information gathered from thousands of security incidents. In fact, this year, the report condenses information from over 63,000 security incidents. What is a security incident? It is an event that compromises the integrity, confidentiality or availability of an asset (server, computer, mobile device, tape, etc.). In comparison, a breach is an incident that results in the disclosure or potential exposure of data for which the DBIR had information for over 1,300 such incidents. Anyway, Verizon acquires this data through partnerships with many public and private organizations. That list of organizations has grown in number and locale making the DBIR a valuable summary.
With this year being the 10th year for the DBIR, the team took a fresh look at the data. One point that they found was quite enlightening. Whether you want to tackle just this year’s data, or the last 10 years, security incidents or breaches, the team was able to find that there are nine patterns that handle at least 90% of those incidents no matter how you want to slice it. The team not only went into detail on how those nine patterns stack up globally but also by industry.
If you are an attorney reading this blog you may be on the verge of thinking that the DBIR would not be helpful to you. Au contraire! For even those attorneys that have not been exposed to a security incident, just reading the descriptions of the types of incidents and understanding the lingo will do you good. If you haven’t been involved in a matter arising out of a security incident, you soon will. A security incident would involve these areas of law:
· Employment law – about 10% (over 100) of the security breaches involved an internal threat actor and that number has stayed pretty consistent over time. That means that the security breach was an employee of the company itself.
· Contracts – Inevitably, security incidents involve multiple parties. Customers, vendors, partners, etc. Reviewing contracts, and how they address security incidents, before and after an incident can go towards shifting blame and with it hundreds of thousands of dollars (or more) in costs.
· Insurance – Many insurance carriers are now shifting their policies to remove security incidents from general liability into cyber liability riders or entirely new policies.
· Criminal – Depending on what regulations your client falls under and what they did before and after a security incident, there could be criminal penalties as a result of not properly protecting the data or not properly reporting the incident.
So as an attorney, having a basic understanding of the terms used in the industry as well as the various players involved in a security incident will go a long way towards making you look like one of the smart people in the room. The DBIR is a great place to start building that vocabulary. Of course for those attorneys more seasoned with security incidents, the DBIR will help you consult with your clients about what they should be doing to better protect themselves from a security incident.
For those in business management, reading the DBIR could turn the following evening into a three martini night (unless three martini evenings are common place in which case you might be able to handle the numbers in the report better). Your benefit, in the DBIR, however, comes from reviewing the industry specific data. The DBIR takes those nine patterns and breaks them down by frequency of occurrence by industry. Start there (page 15). Find your industry and then note the patterns that pertain to you. Then you can easily step to the sections for each pertinent pattern and read up on them. It will sprinkle in some technical information to boost your vocabulary, provide some statistics and then discuss recommended controls to help mitigate the pattern. Take that page, print it out and walk right down to your IT department (or outside IT contractor) and ask “are we addressing this?” If IT has already come to you requesting money, resources or support for changes in the organization, match those requests with the mitigating controls. Do they match? If not, don’t immediately discount what IT is asking. Statistics and patterns are all well and good, but maybe your situation is a little different. Still, it makes for good conversation and discussion and puts your IT on alert that you are serious about data security.
Business owners need to realize that now more than ever is the right time to get serious about data security. Your insurance may not cover you if you don’t. Furthermore, notification requirements are serious business and serious money. The DBIR provides some good business intelligence to understand what areas you can start targeting.
If you are in IT or an IT consultant, the DBIR can be used to your advantage in multiple ways. The breakdown of the nine patterns and the further breakdown of that information by industry provides answers to the question of “where should I be looking first?” On top of that, the report concludes by mapping the Critical Security Controls (CSC) published by SANS in different ways. First, they map it to the nine patterns providing a nice map to showing what controls can mitigate which patterns. Second, they map the CSC to various industries which provides another path to data security planning.
What else can the DBIR do for IT? How about providing that fuel you need to show management that budgets need to be adjusted to take into account security incident planning and prevention. How about providing supporting data as to why you are forcing everyone to change their passwords every 60 days to another 10 character phrase that uses numbers, letters and punctuation as well as not looking like the Grinch who stole Christmas when you strongly suggest limiting the ability to access social media sites from company computers.
So there you have it. An overview of how Verizon’s DBIR pertains to you. Even though it is 60 pages long, with the graphs and the industry/pattern specific data you can read through just the areas that are most pertinent to you and hit the rest later or just spend the time going through it all at once. It is by far not an exercise in dry reading as the authors inject some humor in a serious subject. A quick Google search can find it, or you can head on over to www.verizonenterprise.com/DBIR/2014/
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations