The 2015 version of Verizon’s annual data breach report is available today, and there are some takeaways for channel partners.
The report, in its eighth year, is a data-cruncher’s dream. It’s based on data from 70 contributing organizations, including Verizon Wireless, U.S. and foreign government agencies, nonprofit and academic contributors and dozens of top-tier security vendors. Verizon analyzed 12 TB of data tied to almost 80,000 incidents and more than 2,100 confirmed breaches across 61 countries.
Attackers are global, so threat analysis must be as well. And the only way to cope with the volume and variety of attacks is to pool intel — as the authors state, “sharing is cyber-caring.”
The report is likely to be a topic of discussion among customer security teams.
“Many businesses use this to guide their decisions,” Mike Denny, Verizon’s VP, global security, told Channel Partners. Report highlights include an opportunity to actually stay ahead of attackers on mobile devices and the need to pay attention to basics — incredibly, 10 common vulnerabilities accounted for almost all of the exploits observed in 2014.
The report also delves into threat intelligence, phishing, IoT and more.
Bob Rudis, a Verizon security data scientist and lead author on the report, said a first-ever partnership with Verizon Wireless contributed some surprising insights on mobile security. Analysis of tens of millions of devices showed malicious malware rates of virtually zero on iOS and a negligible 0.03 percent on Android.
“That’s a blip,” said Rudis. “The exploits just aren’t happening.”
For managed security providers, this is a mixed blessing. The findings may make some customers reconsider spending on new mobile security solutions. On the other hand, it’s no time to get complacent. Companies still need help staying ahead of attackers, who no doubt hope to increase the number of compromised iOS and Android devices before the 2016 report.
So where does opportunity lie? The sorry state of patching to block common exploits.
“We’re seeing a tremendous amount of vulnerabilities, including old vulnerabilities, that have not been remediated,” said Mark Spitler, Verizon senior security analyst. “We’re seeing a lot from 2007.” Fully 99.9 percent of exploited vulnerabilities were compromised more than a year after the CVE was published.
Spitler’s advice: “Instead of just playing whack-a-mole, ask, ‘What was our procedural breakdown?’”
Spotty patching is usually a symptom of overstretched security teams. They know what they should be doing, but between testing patches to confirm they don’t break apps, ensuring the capability to roll back gracefully if need be, following change management, approval, compliance and auditing rules — well, stuff happens. This is exactly the sort of labor-intensive but non-business-differentiating work that should be done by a trusted partner.
What can get channel companies in the door is …
… hard data on risk, and the report has some insights for small and midsize companies and select verticals.
You’ll see plenty of alarming stats on the per-record costs of breaches; however, many are based on shaky foundations. Not so Verizon’s figures. Jay Jacobs, Verizon senior security analyst, said the team had complete insight into 191 incidents, across a range of orgs.
“Talk of cost per record is not that helpful,” Jacobs said, but smaller companies do tend to pay a higher per-record cost, on average, versus enterprises. Verizon predicts the average cost for a breach affecting 1,000 records is between $52,000 and $87,000.
As for verticals, no surprise: Public sector, financial services and retail are among the hardest hit in terms of sheer volume of incidents; however, when it comes to the ratio of confirmed data loss compared with exploits, hospitality, educational and entertainment firms have plenty of room for improvement.
Other stats that could shake loose funds for security training services: 23 percent of employees open phishing emails, and 11 percent click attachments.
“There’s no silver-bullet, spend $1 million-and-you’ll-be-safe approach,” said Bryan Sartin, director of Verizon’s RISK team. “But security is not all that complex, either.” Channel companies have an opportunity to build repeatable programs that make them invaluable to customers.
Verizon recommends seven steps for security readiness:
“Everyone wants to know, are bad guys getting better or worse?” said Rudis. “The answer is, attackers are still moving fast and getting faster; protectors are moving faster, too, but not fast enough in most areas.” For budget- and staff-strapped customers, where security may not be seen as strategic, the discussion boils down to whether IT has the resources to take all these steps to protect data. If not, it’s time to bring in some hired guns.
Follow executive editor @LornaGarey on Twitter.