The recently released annual Verizon Data Breach Investigations Report (DBIR) provides quite a bit of insights into the state of security and why breaches take place. Business executives and IT security leaders, should especially note those areas where improvements can be made.
Verizon analyzed more than 100,000 security incidents for its 2016 report, of which 2,260 were found to be data breaches. In the 2015 DBIR 2,122 of the 79,790 security events analyzed were considered data breaches. This tells us immediately that security incidents continue to be on the rise, as are data breaches.
From this alone it’s safe to assume that next year these numbers will rise and that organizations of all industries really need to ensure their security posture is up to the task; which brings us to a second important finding from the 2016 DBIR.
- Compared to the 2015 DBIR, Verizon found little change in the breach landscape. Attackers continue to use the same tactics and organizations continue failing in the same basic areas of security.
If there’s anything that should cause executives and IT security leaders to turn their noses up, it is this finding alone.
An entire 12 months and 365 days have gone by, and businesses continue to fail even at basic security areas. Anyone following industry news, in this case the company CIO or IT security senior executive, knows how much talk there is around how organizations can improve their security program, as well as where companies keep finding challenges in those areas. From our experience as a security company who helps businesses implement a holistic risk management process and who also writes about security topics that can help these organizations; it is mind boggling to keep seeing little improvement in annual reports such as the DBIR.
Additionally, it’s even harder to know what to say to those company leaders who turn around and refute findings such as these, claiming it’s only a way for security companies or the media to stir up panic. The numbers continue to clearly find an increase in number of security incidents and they are finding these because companies are the one reporting those incidents. It’s really straightforward.
Something else that should be highlighted from the report is that known vulnerabilities continue to be the root cause for many breaches. 85% of successful exploits in the last year are attributed to 10 already-patched vulnerabilities. The study also found that in some cases the patches have been available for years and that some vulnerabilities still showing up as root causes of breaches are from 1999. Yes, 1999; that’s almost 20 years ago.
You might be saying, there has to be some good news, let’s see. You’ll be happy to know that unpatched systems aren’t the only common flaw for security. The DBIR found that 63% of data breaches happened thanks to weak, default or stolen passwords; and phishing also continues to be a problem. 30% of phishing messages were opened by organizations compared to 23% from the 2015 DBIR.
As it stands today, organizations have yet to make the necessary improvements to their data security process and program. The worst part is that someone in the company must be aware of the risks of breach, even if a company may not have a CIO, it’s hard to miss mega breach news stories like when Target was breached.
On a positive note, if you are aware of the problems with weak security measures and are ready to do something about it, there are companies like ours, who really, really want to help you achieve an effective security posture.
Get in touch and schedule your free consultation. At least when you’re done talking with us, you’ll have a better idea of where you stand with vulnerabilities and overall security health. You have to start somewhere if you’re going to make improvements to your business’ state of security.
Photo Courtesy of alexskopje