This week the 2019 Verizon Data Breach Investigations Report (DBIR) was released, an annual report, this year in its 12th iteration. The report is based on an analysis of 41,686 security incidents, including 2,013 confirmed data breaches, spanning 86 countries. This sobering quote is perhaps the best summary of this year’s findings: No organization is too large or too small to fall victim to a data breach. No industry vertical is immune to attack. Regardless of the type or amount of your organization’s data, there is someone out there who is trying to steal it. Here are a few other highlights:
- The call is coming from inside the house: when it comes to who was behind the attacks, 69% were perpetrated by outsiders, and 34% involved internal actors.
- Human error remains a major threat to organizations: 21% of breaches were caused by employee errors such as misdelivery, improper disposal, or loss.
- Breach detection and notification timelines: 56% of breaches took months or longer to discover.
It’s interesting to compare some of the findings above to the BakerHostetler Data Security Incident Response Report released last month. This report includes insights from 750 potential incidents in 2018. Here are some highlights:
- The responsible party for incidents in this report had employees as the majority perpetrator at 55% of incidents.
- When it comes to why incidents occur, this report shows a similar breakdown of root cause. Phishing and vulnerable systems make up about two-thirds of the incident profiles, while the remaining third are chalked up to more internal errors such as inadvertent disclosure, stolen or lost devices, or system misconfigurations.
- When it came to timelines, this report showed the time from occurrence to discovery to take an average of 66 days, and discovery to notification averaged 56 days.
As an aside - RADAR benchmarking data has shown average incident response timeframes to be half the reported timeframes above, an indication of the value of leveraging purpose-built technology and automation to streamline incident intake and risk assessment.
The research above indicates that privacy professionals certainly have their work cut out for them, and perform a more vital role than ever. Informed by the data surrounding the mounting threat to our organizations, it makes sense that the recent IAPP salary survey indicated an industry-wide growth in compensation. Considering the importance of their role in an organization, privacy professionals are worth every penny!
If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at firstname.lastname@example.org.