A 2012 Security Incident Recap By The Numbers

Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:

Overall

  • 1,468 (publicly reported) incidents. This includes everything from stolen laptops to external hacks to third party partners mishandling data to employees accidentally disclosing data via email.
  • 274,129,444 (known) records compromised. In the 608 cases where there was a record count reported, this was the total count. 

Types of data lost/compromised

  • Personally identifiable information (PII) was compromised in 53% of cases. This also includes credit card or bank account information, as well as medical or health insurance information.
  • Company confidential information (CCI) was compromised in 4% of cases. This includes things like proprietary intellectual property (IP), compensation data, business plans, corporate financial data, and information subject to a non-disclosure agreement with a third party. These types of incidents may not always be publicly reported, assuming that organizations are even aware that it has occurred or is happening. IP is a valuable asset, and must be protected
  • Governmental information was compromised in 42% of cases. This includes things like address, voting data, driver’s license numbers, state or Federal tax IDs, Social Security numbers, and passport information.

Industry view

Incidents stemming from the healthcare, government, and education sectors made up roughly half of the events reported. Investing in technology and security defenses are one thing, but organizations should not neglect security policies and processes (and the implementation and enforcement of such!). Many incidents that occur aren’t necessarily the result of a sophisticated hacker breaking into systems.

Source of incident/attack, and intent

We’ve seen this in our Forrester Forrsights data, and have said it before – insiders cause their fair share of breaches, whether by accident or intentionally through the abuse of privileges or access.

Data from CyberFactors shows a similar picture, where 50% of the reported incidents were caused by an external actor, 40% by someone inside the organization, and 6% by a third-party contractor or vendor. 

If we consider insiders to be both employees as well as third-party contractors (since they can have access to sensitive information), we’re looking at 667 security incidents total caused by this segment. Of these 667 incidents, only 43 are definitively classified as accidental, while 221 have been identified as malicious acts, and the majority (403) classified as not applicable or unknown.

Costs

Getting a hold of financial information and cost estimates that stem from a security incident or breach is a bit like finding a pot of gold at the end of the rainbow. In the event that you do get to that pot of gold, you’re left wondering if it’s the real deal or a tungsten imposter. Cost estimates were reported in 61 of the 1,468 incidents, totaling about $759 million in losses coming mainly from operating expenses, remediation expenses, regulatory fines, and litigation fees and settlements. The majority of reported cost estimates came from the government and financial services industries. If you’re interested in estimating what may be the cost of a breach to your organization specifically, check out my colleague Ed Ferrara’s latest report.

 

S&R pros, what do you think? Is this surprising, or expected? What other types of data points would you find interesting or helpful to know about security incidents? 

 

*Note: This data comes from CyberFactors, a wholly owned subsidiary of CyberRiskPartners and sister company of CloudInsure.com. This data only includes publicly reported security incidents and breaches.

Comments

It is not all that surprising

It is not all that surprising but it is a bit frustrating. If you are looking for something else to do, you could compare/contrast this with other incident reports. For instance, the 2012 data breach investigations report from Verizon had these stats regarding source:
98% - external
4% - internal
1% - third party
So what is a poor security manager supposed to believe? On the plus side, I could quote the report that supports my position but then I would feel like a politician so that's not good. I find insight such as the level of sophistication needed to commit the breach and methods used helpful in evaluating my level of exposure. Thanks for providing another datapoint.

More data points for all -- and data collection methodology

Love the Verizon DBIR! It's like Christmas for me when that report comes out. :) I hear you on the compare/contrast point. Happy to share additional vendor reports when you need them too; I seek them out and hoard them like a squirrel hoards nuts.

The first thing I do with any data source is take a look at how that data was sourced to give me a sense of how I might use it and set expectations accordingly. This data from CyberFactors is aggregated from publicly reported incidents (e.g., if the information showed up in an SEC filing, or a news article, etc), which is great, but also can be limiting in its own way. For example, if an incident occurs, but only the organization and law enforcement know about it, and the event never gets reported anywhere else, it won't get captured here.

Verizon DBIR as an example, this data is sourced from the paid forensic investigations conducted by Verizon plus data reported/contributed to Verizon from the US Secret Service, Dutch National High Tech Crime Unit, Australian Federal Police, Irish Reporting & Information Security Service, and the Police Central eCrimes Unit of the London Metropolitan Police. This in itself is great because it doesn't just look at what Verizon has seen from its customers but also leverages additional insight from law enforcement sources. Also, I love how this report only includes confirmed organizational data breaches. Given how the data is sourced for this report, I would expect to see a greater percentage of externally sourced attacks so the 98% is not too surprising.

Long story short, I'd say that all of us could use multiple data points, and whatever data we decide to use in the end, to know how it was sourced and understand its limitations.

Thanks for sharing the point about level of sophistication needed to commit the breach, as well as methods used. This would be helpful to have. I will pass this along to CyberFactors as a request to see if it can be added to their dataset in the future.