2016 Data Breach Investigations Report from Verizon
Last year, Verizon released its annual analysis of data breaches in 2015. The 85 page report looks at trends in who was a victim of breaches, common points of focus, vulnerabilities, and breach trends. The report acknowledges that the 9 major incident classification patterns identified in the 2014 version are still accurate. Those categories include: Web App Attacks; Point-of-Sale Intrusions; Insider and Privilege Misuse; Miscellaneous Errors; Physical Theft and Loss; Crimeware; Payment Card Skimmers; Cyber-espionage; and Denial-of-Service Attacks. 89% of breaches had either a financial or espionage motive.
The report contains a plethora of graphs, charts, and data. The following excerpt is from the report’s introduction, and the full report is included in this post.
“This year’s dataset is made up of over 100,000 incidents, of which 3,141 were
confirmed data breaches. Of these, 64,199 incidents and 2,260 breaches
comprise the finalized dataset that was used in the analysis and figures
throughout the report. We address the reasons for culling the dataset in
Victim Demographics and provide additional details when we discuss motives
in Breach Trends. Of course, we would never suggest that every last security
event of 2015 is in this report. We acknowledge sample bias, and provide
information about our methodology as well as links to resources that we
encourage you to look into to help collect and analyze incident data within your
own organization, in Appendix E.
We will also acknowledge what isn’t in this report. For those looking for
proclamations about this being the year that mobile attacks bring us to
our knees or that the Internet of Things (IoT) is coming to kill us all, you will
be disappointed. We still do not have significant real-world data on these
technologies as the vector of attack on organizations. If you feel we are in
error, put down the torches and pitchforks and share any breach data that you
have. We are always looking for avenues to shine lights into areas in which we
may not have sufficient illumination. Also, their absence is not a suggestion to
ignore these areas in your risk management decision-making.”