January 7, 2013
Before we get too far along into 2013, I’d like to take a moment to reflect back on the events of 2012. Thanks to our friends at CyberFactors*, this is what we saw:
- 1,468 (publicly reported) incidents. This includes everything from stolen laptops to external hacks to third party partners mishandling data to employees accidentally disclosing data via email.
- 274,129,444 (known) records compromised. In the 608 cases where there was a record count reported, this was the total count.
Types of data lost/compromised
- Personally identifiable information (PII) was compromised in 53% of cases. This also includes credit card or bank account information, as well as medical or health insurance information.
- Company confidential information (CCI) was compromised in 4% of cases. This includes things like proprietary intellectual property (IP), compensation data, business plans, corporate financial data, and information subject to a non-disclosure agreement with a third party. These types of incidents may not always be publicly reported, assuming that organizations are even aware that it has occurred or is happening. IP is a valuable asset, and must be protected.
- Governmental information was compromised in 42% of cases. This includes things like address, voting data, driver’s license numbers, state or Federal tax IDs, Social Security numbers, and passport information.
Incidents stemming from the healthcare, government, and education sectors made up roughly half of the events reported. Investing in technology and security defenses are one thing, but organizations should not neglect security policies and processes (and the implementation and enforcement of such!). Many incidents that occur aren’t necessarily the result of a sophisticated hacker breaking into systems.
Source of incident/attack, and intent
We’ve seen this in our Forrester Forrsights data, and have said it before – insiders cause their fair share of breaches, whether by accident or intentionally through the abuse of privileges or access.
Data from CyberFactors shows a similar picture, where 50% of the reported incidents were caused by an external actor, 40% by someone inside the organization, and 6% by a third-party contractor or vendor.
If we consider insiders to be both employees as well as third-party contractors (since they can have access to sensitive information), we’re looking at 667 security incidents total caused by this segment. Of these 667 incidents, only 43 are definitively classified as accidental, while 221 have been identified as malicious acts, and the majority (403) classified as not applicable or unknown.
Getting a hold of financial information and cost estimates that stem from a security incident or breach is a bit like finding a pot of gold at the end of the rainbow. In the event that you do get to that pot of gold, you’re left wondering if it’s the real deal or a tungsten imposter. Cost estimates were reported in 61 of the 1,468 incidents, totaling about $759 million in losses coming mainly from operating expenses, remediation expenses, regulatory fines, and litigation fees and settlements. The majority of reported cost estimates came from the government and financial services industries. If you’re interested in estimating what may be the cost of a breach to your organization specifically, check out my colleague Ed Ferrara’s latest report.
S&R pros, what do you think? Is this surprising, or expected? What other types of data points would you find interesting or helpful to know about security incidents?
*Note: This data comes from CyberFactors, a wholly owned subsidiary of CyberRiskPartners and sister company of CloudInsure.com. This data only includes publicly reported security incidents and breaches.