This is an excellent report culled from over four years and 500 forensic investigations performed by the Verizon Business RISK team.
There are some very interesting statistics presented in this report that may be very eye-opening to many (italicized comments added by me):
Who is behind data breaches?
73% resulted from external sources <-- So much for "insider risk trumps all"
18% were caused by insiders
39% implicated business partners
30% involved multiple partiesHow do breaches occur?
62% were attributed to a significant error <-- Change control is as important as
59% resulted from hacking and intrusions <-- compensating controls
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats
What commonalities exist?
66% involved data the victim did not know was on the system <-- Know thy data/where it is!
75% of breaches were not discovered by the victim <-- Manage and monitor!
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls <-- So why aren't they used?
Very, very interesting...
You can get the report free of charge here.
/Hoff
*Update: I've read quite a few bristling reviews of this document. Some claim it doesn't go far enough to describe how VzB collected and sampled the data and from whom. Others suggest it's FUD and obviously just meant to generate business for VzB.
It's true we don't know who the customers were. We don't necessarily know which segments of industry they came from or how big/small they were. It's not authored by a disinterested party. Got it.
I guarantee that some of people who are amongst those being critical of the report will bitch about it and then use this data just like they have the FBI/CERT data over the years...
Take the report on face value and map it against others to see how it lines up.
This is not the definitive work on breaches, for sure, but it's an interesting and useful data point to consider when exploring trending as well as for use in strategic planning in assessing your security program and preparing for an inevitable breach.