One of the most common questions/criticisms we get regarding the Data Breach Investigations Report is the lack of data on financial losses experienced by organizations in our sample. We can understand the frustration. There are, however, several reasons that the report does not contain such information:

1) A breach investigation focuses on the collection of evidence related to who did it, how, when, what was compromised, etc. Analyzing and quantifying financial losses to the victim organization is simply not what we’re paid to do. Although we do occasionally gather information relevant to the impact of a breach, we do not gather near enough pieces to complete the puzzle. Nor are we on the ground long enough after the breach to truly study the long-term consequences.

2) While we could include the bits and pieces that we collect on losses, we made a decision at the very beginning not to do so. One of the aspects of the DBIR that we (and we hope many others) like is that, from cover to cover, it is filled with objective, credible, factual information. Since we do not collect data of that caliber on losses during an investigation, we do not feel it fits with the rest of the report.

That said, we’re not blind. We realize that breach details along with a credible account of financial losses is the “Holy Grail” of our field. I won’t give away too much now, but let’s just say that we’re actively working on something that may please the masses.

I am totally fascinated that, as sophisticated as our enterprises are, computer crime follows the same basics as water (seeks the lowest point, leaks from the softest spot) and chains (that break at their weakest link). We chant and rant these sort of ditties endlessly, yet our spending and protection strategies often make security stronger where it is already strong, and ignore, or don’t even look for, the weak spots.

Figure 30 in this year’s study shows that in over half of all cases (and a much higher percent of records lost) the data that was breached involved relatively simple things that took the victim company by complete surprise. In Figure 30 (pg 34), “Unknown Data” was a problem in over 1/3 of cases and about 2/3 of all records lost.

When we get called in to handle a case we typically meet with the IT staff on the first morning to reassure them and to get some basic information so that we can quickly diagnose the issue. Usually someone knows that records were lost, but doesn’t know how. We ask: “Where would records like those be stored and processed??” The staff answers something like “over there on machines A, B, C and D.” We ask if we can put a sniffer on the network among machines A, B, C, and D. When we do, we typically see 95%+ of the traffic moving among these devices, but we often see a small percent of traffic also going to machines “P,Q, R, S, and T.” (more…)