Data breaches are nothing to smile at, but Verizon today is issuing a new kind of security report that actually takes something of a lighter approach to discussing the most common kinds of data breaches, with the intent of reaching beyond the security specialists to less technical folks, including some of those in management.
The Data Breach Index Report uses some of the data Verizon Communications Inc. (NYSE: VZ) also uses for its annual Data Breach Investigations Report (DBIR) but packages it with a little bit of humor into a series of 12 primary data breach scenarios. These are represented by names such as "The Slick Willie," "The Bad Tuna" and "The Dark Shadow," and appropriate illustrations on what the report calls "Attack-Defend Cards" that graphically lay out the scenario, incident pattern, targeted victim and threat actor for each. (See Verizon: Medical Info More at Risk of Theft.)
In addition, Verizon provides information on six other attacks, the ones that are less frequent but more lethal. You can find the entire report here.
"The intent is to hit a much broader audience," says Chris Novak, who is managing principal of the Verizon Investigative Response Unit. The DBIR may not do that because the information is packaged for security experts, and is "a data science, statistics heavy kind of publication, with lots of analytics and big data number crunching," he says.
Broadening the audience is a key goal for a number of reasons. Management may not be technically savvy on security but it is important threats are understood at that level of a company, including among its board of directors, so they grasp the real risks and therefore adequately support the security effort, in staffing and resource decisions. Company employees and even consumers need to know common data breach scenarios to recognize threats and avoid them, realizing their behavior has consequences.
Another goal, however, is to try to mitigate the sense of inevitability of cyberattacks and data breaches, Novak says. By sharing more information, Verizon intends to help people be realistic about the dangers but also know they aren't helpless.
"When we go in and do a lot of investigations, the common feeling is that [victims] feel very alone in their breach, like it hasn't happened to others, or why me?" Novak explains. "When you get down in the weeds of the data and you have the broad visibility we have across industries and geographies in our caseload, we can see that there are these commonalities that take shape and these organizations are not alone. And one of our hopes is that people will realize that and be able to draw from that. They can quickly recognize this has happened to many others, this is what they are doing, this is how they are containing this, and by the way, there is an easy way for me to get help with this."
That is another way the Data Breach Index is different from the DBIR -- it draws exclusively on Verizon's own caseload, where the larger report also draws on information Verizon collects from global partners. And in that caseload, the 12 breaches it includes in the index represent 60% of the total number of data breaches.
The index is still pretty long -- almost 84 pages -- but one other thing Verizon has done is to create a chart which shows which kinds of attacks most frequently target businesses based on their industry segment. For example, the retail industry is most often attacked via point-of-sale intrusions and crimeware, while transportation is targeted by cyber espionage. Those reading the report are quickly directed to the pages describing the attacks most relevant to them, and don’t have to get through all 84 pages.
— Carol Wilson, Editor-at-Large, Light Reading