Latest Findings – Verizon’s Data Breach Investigations Report

Posted by Mark Greisiger

A Q&A with Chris Novak, Managing Principal at Verizon Business
Verizon’s Data Breach Investigations Report, conducted by the Verizon RISK Team with cooperation from law enforcement agencies around the world, has become an invaluable resource for anyone looking to gauge the current landscape in data breach incidents. “It’s not enough to know what happened. We need to know why and what we could have done to prevent it,” says Chris Novak, managing principal, investigative response for Verizon Business Security Solutions. I talked to Chris about the latest findings in this year’s report.

What does the report cover and what’s new this year?
While it doesn’t allow us to speak to specific incidents due to confidentiality reasons, it allows us to aggregate the data, anonymize it and offer a summary so that we can make this information available to others and serve as an educational resource. This year’s report looks at 855 incidents with 147 million compromised records. We’ve added some additional contributors, the Irish Reporting and Information Security Service, the Australian Federal Police, and the London Metropolitan Police. These partners give us a better sense of what’s going on within their footprint and it also allows us to give better sample sets of global data.

What are the biggest findings of this year’s report?
We found that the external threat is still the greatest, including 98 percent of cases, up 6 percent from last year, with only 4 percent of cases that were internal. (The overlap accounts for the cases where internal people collude with external people.) Organizations have implemented much more internal control and identified vulnerabilities so that improvement is reflected in the numbers we’re seeing. Hacktivism was responsible for 58 percent of compromised records—that’s a significant number. These groups typically target larger organizations. In general, external breaches were conducted with hacking (81 percent) and malware (69 percent). Social engineering is still registering as a small threat in the landscape, with only 7 percent of the cases socially engineered.  We’re also finding that servers (94 percent) are the most vulnerable to attack—at the end of the day, that’s where all the data is. In terms of the kind of data we’re seeing it’s still mostly personal information, with about 95 percent of cases including PII such as names, social security numbers and addresses—all the items needed for identity theft. We continue to see intellectual property from the trade sector being stolen, but it’s difficult to monetize the worth of that information. Another interesting finding is that 65 percent of the attacks were considered “low difficulty,” showing us that in most cases the perpetrators are not very sophisticated—they often looked up techniques on Google or Wikipedia, but simply worked until they got in.

What should security officers and risk managers be worried about?
An area we’re keeping our eye on is the healthcare industry and we expect to see more breaches in this area. We also looked at how long it takes for companies to discover a breach. In 84 percent of the cases it took multiple weeks or longer to figure out. That is concerning. Another issue of concern is that 86 percent of organizations with a breach had everything they needed to know in their own logs. If they’d been looking at their own data they could have stopped the incident. 97 percent of breaches were avoidable through simple or intermediate controls.

What’s the good news?
We are not seeing any increased risk tied to cloud computing, an area many people have worried about. People using cloud computing are often getting a better level of service so that if something happens they can catch it more quickly—so in some cases, it’s actually a security improvement. In general, preventing a breach from happening is less expensive than the cost of wading through a typical breach, so the proverbial “ounce of prevention” still holds true here. 63 percent of respondents said that the cost of preventing their breach would have been simple and cheap and 31 percent said it would not have been difficult or expensive.

In conclusion…
Chris Novak’s insights are helpful, especially to risk managers trying to get their arms around the causes of loss and the potential frequency and severity of cyber risk. The Verizon report is especially focused on risks caused by malicious actors, which continue to morph each year, always seeming to stay one step ahead of corporate efforts to safeguard information assets. However, it should be footnoted that a fair amount of cyber liability insurance claims that we see are the result of non-malicious events such as lost laptops, staff mistakes, and improperly disposed paper records. This is not to discount the importance of being battle-ready to deflect the malicious threats that our clients literally face on a daily basis, but to acknowledge that both types of events must be anticipated.