2013 Verizon DBIR Thoughts

It's another year - and time for the 2013 Verizon Data Breach Investigations Report. Despite the name, the report references the previous year - 2012. The most notable part of this year's report is that the list of contributors continues to grow up to a total of 19 for this report. This fact becomes really important as you dig into the report which contains a fairly large number of year-over-year comparisons. When receiving the briefing, it was noted that despite there being 5 years worth of data, it's like comparing apples to not-apples.

Thinking about the reports over the years and the industry response, someone with a more recent memory of STATS 101 can probably use better words to describe the change in how the report is consumed, by which groups within organizations and with what focus. It is really important to understand that the dataset represents voluntary disclosure of breaches by the 19 participating organizations. It is NOT clean data, there is as much scientific rigor as possible but without the kind of assurance that one would expect from a peer-reviewed journal article. The information is more useful for decision making than the usual peanut-butter and jet engines, but not by much. If the utility of the information works for you based on your understanding of your world - great! If not, think carefully about the conclusions that you will inevitably draw as you read.

If you read no other part of the report, read the 4 page executive summary. It's on pages 4 through 7 of the PDF. Go. Read. NOW.

Welcome back! Now that you've read the executive summary, think about what resonated for you. I was rather interested in the following:

  • Who are the victims? -- again, important to note, these are the reported breaches. Looking deeper in the report, you'll see a couple of focus areas - food services and professionals. I'm eagerly awaiting some analysis of the "professionals" segment. The Verizon team will be putting out additional analysis in the form of blog posts. You should watch for them.
  • Who's perpetrating breaches? -- consistently over the years, reported breaches have an external bad actor. We have no idea if the unreported breaches involve insiders or not. And of course, "State-affiliated actors tied to China" makes it into the report right at the beginning.
  • How do breaches occur? -- later on in the report you'll see an interesting graph associated with spear phishing - just keep sending links, they'll eventually click on them.
  • What commonalities exist? -- interesting for sure, but the one that stands out is the number of breaches which are discovered by external parties. Perhaps this is connected to the bias of "reported breaches", when a third party discovers the breach it is much harder to un-report it and hide the results from regulators and legislators (and I suppose customers and clients.)
  • What can we do about it? -- this is a great list. If you're building an information security program you could do worse than follow these 8 points. In the body of the report you'll come to a table that would seem to indicate that doing the basics of infosec well (technical preventative and detective controls) really doesn't help but the reality is that to understand your information and your environment those things are a requirement.

Dig into the body of the report and you'll find much more to think about. I'm certain that the discussions around this report this week will be entertaining.

Some closing thoughts for right now: It doesn't matter how big or small your organization is, you can learn something from the DBIR. And invest in a color printer if you don't read off of the screen, the graphs don't look very good in grayscale.

This is the first in many blog postings you can expect from Leviathan Security Group's Risk Advisory Services Team.

James Arlen is a member of Leviathan’s Risk Advisory Services Team. As a member of the team, James is primarily responsible for multi-year client engagements using the V-ISO (Virtual Information Security Office) model – providing substitute or backup coverage for client information security departments. In addition to these duties, James often serves in a senior role on complex Technical Services projects where close integration with client technical and business teams is necessary.