I recently had the opportunity to travel to Pittsburgh for the 2016 ISACA Pittsburgh Information Security Awareness Day Conference. This conference is part of a regional series hosted by the local ISACA Pittsburgh chapter.
I was impressed with the thought leadership in the sessions at this conference, and with the sincere dedication of the conference attendees and organizers in their efforts to elevate the visibility of information security. In fact, Pittsburgh’s mayor, Bill Peduto, declared the date of the conference, Dec 5, 2016 to be Pittsburgh Information Security Awareness Day in honor of this event.
During the conference, I found myself taking note of the wealth of research and statistics in our field. This valuable research and resulting reports are one means of elevating the privacy and security conversation, and sharing these figures helps verify the work we are all doing to keep data safe and keep individuals informed.
Verizon’s Data Breach Investigations Report
I started my day off with a session lead by Bhavesh Chauhan, Principal Client Partner, Verizon Enterprise Solutions, in which he reviewed the often-cited 2016 Verizon Data Breach Investigations Report. A few statistics from this report, which covers 2015 data:
- Over 100,000 incidents reported, and 3,000 confirmed data breaches.
- 89% of breaches had a financial or espionage motive.
- 63% of confirmed data breaches involved weak, default or stolen passwords.
Bhavesh also reviewed the Data Breach Digest, which is an accompanying report that dives deeper into field scenarios from Verizon’s Research, Investigations, Solutions and Knowledge (RISK) team. Over the last 3 years, the majority of the RISK team’s 1,175 investigated cybersecurity incidents fall into just a dozen common scenarios, now published in the Verizon Data Breach Digest. Billed as “the closest we can get to giving you a Risk Team ride along,” this report and the Data Breach Investigations Report were both referenced throughout the day in other sessions.
91% of Attacks Start with Email
A session presented by Bob Adams of Mimecast centered on the figure that 91% of cyber attacks start with email, a statistic from a Wired article about phishing that originated in a 2012 Trend Micro report. In his presentation, Bob reviewed just how convincing these emails can be, the thought and research that goes into these targeted attacks, and how social engineering and sophisticated spoofing takes advantage of a poorly trained team.
In the 2016 Data Security Incident Response Report from Baker Hostetler, a survey of 300+ incidents in 2015 found that the top two reasons incidents occur were phishing/hacking/malware (31%) and employee action or mistake (24%). The prevalence of the “human element” in company vulnerabilities points to the continued need for employee training.
The Big Picture: Dispelling Common Myths in Data Incidents
The presentation by RADAR CEO Mahmood Sher-Jan featured trends identified from the volume of incidents processed through RADAR. Unlike data breaches, data incidents aren’t publicly reported, so the aggregated data culled from RADAR provides a unique glimpse into incident trends. Looking at the data across multiple industries, Mahmood revealed common myths when it comes to popular understanding of data incidents. These myths include:
- The prevalence of electronic incidents. Electronic incidents may expose more records per incident, but paper incidents – for example misdirected mail or fax – are much more commonplace. While Verizon and Mimecast are paying attention to the cyber and electronic incidents, according to our data ~ 90% of the incidents in highly regulated financial services and healthcare companies are still paper.
- The idea that all incidents involving regulated data are data breaches. Data indicates that the majority of incidents, when properly risk mitigated and run through a compliant multi-factor risk assessment, do not meet a breach threshold.
- Incidents occur because you are under attack. While it is important to prepare for security scenarios – including the possibility of attacks on your data – the majority of incidents occur due to human error, not malicious intent.
These myths can partly be attributed to a disregard for the difference between data breaches and data incidents. The information security community has a number of annual reports on data breaches – the prevalence of these myths may indicate a need for more research into incidents.
In the Complex World of Information Security, Knowledge is Power
Across the sessions and from individuals of every background, it seemed that we all had a point we could agree on: managing privacy incidents involving regulated data is a complex and constantly evolving challenge. A great session by Angie Singer Keating, CEO of Reclamere titled “Ensuring proper disposition of data and electronic equipment” spoke of how the steps taken to reduce risk could be a determining factor in whether an incident is reportable or not. In another session, an attorney from Reed Smith, Mark Melodia, spoke about the complexity of state data breach notification laws and the difficulty in keeping up with the ever-changing landscape.
Attending industry events is an opportunity to share best practices, learn from one another, and connect in our common goal: to protect our systems and the private information in our care. In that respect, the industry statistics shared and the research into the causes of privacy incidents and data breaches are integral to this goal. I look forward to continued research and thought leadership from ISACA, attendees of this event, and the privacy, security, compliance and risk professionals working in the field every day.