- Forrester Councils
- Councils Overview
- log in
Posted by Heidi Shey on January 7, 2013
Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:
Types of data lost/compromised
Incidents stemming from the healthcare, government, and education sectors made up roughly half of the events reported. Investing in technology and security defenses are one thing, but organizations should not neglect security policies and processes (and the implementation and enforcement of such!). Many incidents that occur aren’t necessarily the result of a sophisticated hacker breaking into systems.
Source of incident/attack, and intent
We’ve seen this in our Forrester Forrsights data, and have said it before – insiders cause their fair share of breaches, whether by accident or intentionally through the abuse of privileges or access.
Data from CyberFactors shows a similar picture, where 50% of the reported incidents were caused by an external actor, 40% by someone inside the organization, and 6% by a third-party contractor or vendor.
If we consider insiders to be both employees as well as third-party contractors (since they can have access to sensitive information), we’re looking at 667 security incidents total caused by this segment. Of these 667 incidents, only 43 are definitively classified as accidental, while 221 have been identified as malicious acts, and the majority (403) classified as not applicable or unknown.
Getting a hold of financial information and cost estimates that stem from a security incident or breach is a bit like finding a pot of gold at the end of the rainbow. In the event that you do get to that pot of gold, you’re left wondering if it’s the real deal or a tungsten imposter. Cost estimates were reported in 61 of the 1,468 incidents, totaling about $759 million in losses coming mainly from operating expenses, remediation expenses, regulatory fines, and litigation fees and settlements. The majority of reported cost estimates came from the government and financial services industries. If you’re interested in estimating what may be the cost of a breach to your organization specifically, check out my colleague Ed Ferrara’s latest report.
S&R pros, what do you think? Is this surprising, or expected? What other types of data points would you find interesting or helpful to know about security incidents?
*Note: This data comes from CyberFactors, a wholly owned subsidiary of CyberRiskPartners and sister company of CloudInsure.com. This data only includes publicly reported security incidents and breaches.
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »