Odd title, I know, but there’s an element of truth there. Allow me to explain.

If you’ve read our Data Breach Investigations Report, you’ll probably remember that we’re not overly encouraging about the ability of organizations to detect and respond to security incidents. It’s been our very consistent finding over the years that breach discovery takes far too long and when it finally happens, it’s usually because a 3rd party notified the victim of their predicament.

What makes all this worse is that both the timeframe and method of discovery are almost always dictated by the criminal.

Read that again; I’ll wait.

As Bryan Sartin discussed some time ago over on Verizon’s ThinkForward blog, fraud committed using stolen data often triggers the discovery process. So, criminal actions enable us to catch criminal actions. Which leaves us security professionals with a burning question – where would we be without the help of fraud?

I’ll tell you the burning answer: 44 (I was so hoping it would be 42).

Recently, we’ve given several DBIR presentations to government agencies and other organizations that work in space. Such organizations are (understandably) more interested in the theft of IP and classified data than, for instance, payment cards. Thus, we’ve isolated such cases from the larger DBIR dataset and include stats around IP and classified data theft in these presentations (don’t get too upset – we’re sharing some of this with you too). The differences between these datasets are often substantial and provide plenty of food for thought…which brings us back to breach discovery, fraud, and the number 44.

Of all breaches involving IP or classified data, 44% take years or longer to discover.

Read that again; I’ll wait.

Why? It is almost certainly because such data is not used for post-breach fraud like payment card and personally identifiable information. Instead, you look up a couple years later and wonder at the surprising similarity between your gizmo and the enhanced version your competitor just launched. The ironic truth is that without the help of the credit card companies and their comparatively mature and effective fraud detection mechanisms, we’re left to our own devices. And that, my friends, spells trouble.

So, thank goodness for fraud; what would we do without it? What ARE we doing?

Numbers and charts courtesy of Marc Spitler

Since publishing the 2011 DBIR back in April, we’ve received a lot of questions about the dataset presented in the report. From the 761 incidents covered in the report, one gets a pretty decent view of “what this says about the general community,” but it can be challenging to figure out “what it means for me specifically.”

Though some suggest otherwise, I do not believe this is a problem inherent to our dataset; this same basic issue affects any large dataset. For instance, if we polled the global working community on some issue, the results would reveal a “middle” position that was not necessarily reflective of any particular country involved. Tracking this over time shows changes in the typical international stance on the issue and has value for many purposes. For other purposes, however, one might wish to study the views of a specific age group from a specific country.

There are nearly unlimited ways we could slice the DBIR dataset to create additional views and we can’t possibly do them all – especially for free (just being honest). We can, however, create some of the most-requested segmentations, and we are happy to preview a couple here.  Below you’ll find the top 15 threat actions for 1) organizations with at least 1000 employees, and 2) breaches of intellectual property and classified information (payment card data and personal information excluded). You can compare these to Table 8 on page 26 of the 2011 DBIR.

Here we are again – our fourth installment of the DBIR series (sixth if you count the ’08 and ’09 mid-year supplementals). To our readers, it may seem like the 2010 DBIR published ages ago. To us, it feels more like yesterday. The expanding scope and increasing depth of the report makes it almost one continuous effort throughout the year. It is, however, a labor of love and we’re very glad to be sharing our research into the world of data breaches with you once again.

We are also very glad to have the USSS back with us for the 2011 DBIR. Additionally, we have the pleasure of welcoming the NHTCU to the team. Through this cooperative effort, we had the privilege – and challenge – of examining about 800 new data compromise incidents since our last report. To put that in perspective, the entire Verizon-USSS dataset from 2004 to 2009 numbered just over 900 breaches. We very nearly doubled the size of our dataset in 2010 alone!

With the addition of Verizon’s 2010 caseload and data contributed from the USSS and NHTCU, the DBIR series now spans 7 years, 1700+ breaches, and over 900 million compromised records. We continue to learn a great deal from this ongoing study and we’re glad to have the opportunity once again to share these findings with you. As always, our goal is that the data and analysis presented in this report prove helpful to the planning and security efforts of our readers. We also hope you just enjoy reading it.

You can grab it here