Verizon 2017 DBIRI always look forward to Verizon’s annual Data Breach Investigations Report.  Verizon dropped the 2017 DBIR last week, and for the 10th year in a row it cuts through the confusing landscape of security incidents and data breaches with analysis, alacrity … and yes, attitude (in what other report can you find a paragraph heading like “Tall, Dark, and Ransom”?).

The 2017 DBIR distills global information from 65 collectors of incident and breach data, analyzing 42,120 security incidents and 1,925 breaches that occurred during 2016.  The threat environment changes each year, but one of the reasons I value the DBIR is that it shines a light on a few key things that don’t change.  Here are four central aspects of data security that endure – and which we forget at our peril:

It’s not just about Point-of-Sale and Cyber Espionage. 

The buzz in the media used to be all about Target, Home Depot, and the endless stream of retailer PoS system purchase card breaches.  Now the buzz is Russia and other nation-state cyber espionage.  But as the 2017 DBIR reminds us, there are lots of threat patterns.  PoS and cyber espionage are only a miniscule fraction of the 2016 total security incidents, each less than one percent.  And cyber espionage (15%) and PoS intrusions (11%) together comprised only a quarter of the 1,925 breaches.  Web application attacks (28%) were the predominant breach pattern, followed by insider privilege misuse (14%), miscellaneous errors (11%), payment card skimmers (5%), physical theft/loss (4%), crimeware (2%), and everything else (10%).

Data security is not one-size-fits-all.

Each industry faces its own, unique mix of threats. The 2017 DBIR once again so confirms by analyzing the top breach patterns by industry.  For example:

  • Healthcare:  privilege misuse (34%), miscellaneous errors (32%), lost/stolen assets (14%) ….
  • Retail:  card skimmers (41%), web app attacks (25%), miscellaneous errors (13%) ….
  • Manufacturing:  cyber espionage (86%), privilege misuse (6%), miscellaneous errors (2%) ….
  • Finance:  web app attacks (81%), card skimmers (10%), privilege misuse (6%) ….
  • Accomodation:  PoS intrusions (87%), privilege misuse (2%), card skimmers (2) ….

Breach patterns change over time.

As defense adapts to offense, offense changes to the next thing, and on and on it goes.  2017 DBIR findings confirm the fluidity of breach patterns over time, such as:

  • On the Rise:  cyber espionage (from 7% in 2015 up to 15% in 2016), privilege misuse (from 8% in 2015 up to 14 % in 2016)
  • Ticking Downward:  web app attacks (from 40% in 2015 down to 28% in 2016), PoS intrusions (from 23% in 2015 down to 11% in 2016)
  • Ransomware’s Everywhere:  rising from the 22nd most common malware in 2014 to 5th most common in 2016

Our greatest security vulnerability is us.

Yes, per the 2017 DBIR, 75% of the 2016 breaches were driven by outsiders, 51% involved organized crime groups, and 18% featured state-affiliated actors.  But the weak link in organizational security is usually warm-blooded and closer to home:

  • Misuse and Mistakes:  A quarter of the 2016 breaches fit the patterns of privilege misuse (14%) and miscellaneous human error (11%).
  • Weak and Unprotected Passwords:  62% of the 2016 breaches involved hacking, and 81% of hacking-related breaches involved leveraging weak or stolen passwords.
  • Something’s Phishy:  43% of the 2016 breaches featured social engineering, and over 90% of those involved phishing. 95% of breaches with phishing progressed to installing software, such as malware.  And in sanctioned phishing exercises during 2016 (3 million unique users at 2,280 organizations), more than 7% of exercise participants clicked a link or opened an attachment, and 15% of those individuals were successfully phished a second time.

Sometimes the more things change, the more they stay the same.