Odd title, I know, but there’s an element of truth there. Allow me to explain.

If you’ve read our Data Breach Investigations Report, you’ll probably remember that we’re not overly encouraging about the ability of organizations to detect and respond to security incidents. It’s been our very consistent finding over the years that breach discovery takes far too long and when it finally happens, it’s usually because a 3rd party notified the victim of their predicament.

What makes all this worse is that both the timeframe and method of discovery are almost always dictated by the criminal.

Read that again; I’ll wait.

As Bryan Sartin discussed some time ago over on Verizon’s ThinkForward blog, fraud committed using stolen data often triggers the discovery process. So, criminal actions enable us to catch criminal actions. Which leaves us security professionals with a burning question – where would we be without the help of fraud?

I’ll tell you the burning answer: 44 (I was so hoping it would be 42).

Recently, we’ve given several DBIR presentations to government agencies and other organizations that work in space. Such organizations are (understandably) more interested in the theft of IP and classified data than, for instance, payment cards. Thus, we’ve isolated such cases from the larger DBIR dataset and include stats around IP and classified data theft in these presentations (don’t get too upset – we’re sharing some of this with you too). The differences between these datasets are often substantial and provide plenty of food for thought…which brings us back to breach discovery, fraud, and the number 44.

Of all breaches involving IP or classified data, 44% take years or longer to discover.

Read that again; I’ll wait.

Why? It is almost certainly because such data is not used for post-breach fraud like payment card and personally identifiable information. Instead, you look up a couple years later and wonder at the surprising similarity between your gizmo and the enhanced version your competitor just launched. The ironic truth is that without the help of the credit card companies and their comparatively mature and effective fraud detection mechanisms, we’re left to our own devices. And that, my friends, spells trouble.

So, thank goodness for fraud; what would we do without it? What ARE we doing?

Tags: Data Breach Report, Data Breaches, DBIR, Discovery, Fraud, Incident Response, incidents

This entry was posted on Wednesday, September 7th, 2011 at 1:52 pm and is filed under 2011 DBIR, Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.