Verizon data breach report offers 10-year look at cyber-crime

A decade of data breach information has revealed an unprecedented level of insight into the trends and patterns of cyber-crime, including industry-specific trends that for the first time can be mapped to 14 critical security controls.

According to an advance copy of Verizon’s 2014 Data Breach Investigations Report, obtained by FedScoop, 49 organizations from 95 countries contributed data on more than 63,437 security incidents, including 1,361 confirmed data breaches. That’s a huge increase from the 19 contributors representing just 27 countries in last year’s report.

“It’s a really good sample of what’s going on in the world,” said Stephen Brannon, a principal with the Risk Team at Verizon. During the last 10 years, Verizon has collected and coded data on more than 100,000 security incidents.

But the 2014 report represents a significant departure from past years. It not only includes incidents that did not necessarily lead to a confirmed data breach, but it maps the incidents to nine basic attack patterns. It then maps those attack patterns to specific industries and makes specific recommendations based on the SANS Institute’s Critical Security Controls list.

2014_04_VDIR2 Frequency of incident classification patterns (Verizon Data Breach Investigations Report, 2014).

The 10 years of data included in the report reveals nine overall threat patterns. But for the first time, Verizon researchers have been able to map those specific threat patterns to specific industries, enabling executives in those industries to make better decisions about what security technologies to purchase.

Among the most problematic trends identified in the report was the significant increase in the number of external hacker threats that organizations now face.

“The number of internal and partner actors has stayed steady and external actors have been increasing year over year,” Brannon said. “There are definitely insiders and partners that you have to worry about, but by the numbers there are a lot more people outside the organization perpetrating security incidents.”

Latest Podcasts