For example, I imagine that they deal with a higher percentage of external attacks and relatively few insider events, which might explain why the report shows so few internal incidents relative to other forms of attack. My basis for this is that companies are more likely to deal with insiders on their own and keep such incidents as quiet as possible. This might explain the big discrepancy between the report’s statement of 20 percent of confirmed breaches by internal staff, 32 percent by business partners and 74 percent by outsiders. The reason that the sum of these percentages exceeds 100 percent is that many breaches involve more than one category of perpetrator. Many others believe that insider incidents might be some 70 percent of all events. I happen to think that the real number is over 90 percent, because there are so many internal incidents of which companies are not aware.
In any event, if we can get over the obvious biases and some doubts about the conclusions reached, there remains much to learn from the report. For me, perhaps the most revealing statistic was that, for internal breach sources, 9 of 21 breaches (43 percent) involved end users and 38 percent involved IT administrators/super-users. What immediately sprang to my mind was that these, if truly representative, are astounding numbers. The implication is that end-users and admin folks have about the same number of total breaches, but the ratios of end users to administrators might be from 100 to one to a 1000 to one in typical medium-to-large companies. This suggests that an admin is hundreds of times more likely than an end-user to be involved in a breach!
Popularity: 5%
One Comment
Warren,
When I (and I hope others) present around the report, we mention this bias explicitly. I hope nobody ever told you it was a random sample. Also, it might be worth noting that page four of the report states:
“We would like to reiterate that we make no claim that the findings of this report are representative of all data breaches in all
organizations at all times. These statistics are based solely upon our caseload and any conclusions or inferences we make are
drawn from this sample. Although we believe many of these results to be appropriate for generalization, bias undoubtedly
exists. Even so, there is a wealth of information here and no shortage of valid and clear takeaways. As with any study, readers
will ultimately decide which findings are applicable within their organization. ”
I also work in my presentations to discuss the nature of the threat sources – giving the same reasons you do describing why the results might look like they do. Again, from the report itself:
“It is true that these results are based upon our caseload—which is consumer data-
heavy—and may not be reflective of all data breaches. Perhaps insiders are more apt to target other types of data such as
intellectual property. It is also true that many insider crimes may never be detected, though one would think any breach
causing material harm would eventually be noticed. It is also feasible they are more likely handled internally. ”
I hope that you found the presentation informative. If you’d like, please feel free to drop me an email with any questions you might have. I can’t comment on any specific cases, only on the aggregate data set, of course, but if there’s something you’d like clarification on, I’m happy to help.
yours,
Alex