Now in its 13th year, the Verizon Data Breach Investigations Report (DBIR) is essential reading for anyone wanting to understand why so much confidential information goes astray. The 2020 report analyzed information supplied by 81 contributors across 81 countries about 157,525 incidents, of which 3,950 were confirmed data breaches. Many readers of this report will prefer to focus on the sexier topics relating to hacking and espionage but the most important message is that human mistakes are the cause of a significant and rising number of reported data breaches.
The only action type that is consistently increasing year-to-year in frequency is Error. That isn’t really a comforting thought, is it? Nevertheless, there is no getting away from the fact that people can, and frequently do, make mistakes and many of them probably work for you.
Whilst 45 percent of breaches featured hacking, it is significant that 22 percent of reported breaches were said to be caused by errors. 70 percent of all confirmed breaches were perpetrated by external actors, but 30 percent were due to the actions of insiders. This suggests that incompetence is the greatest insider threat. Whilst it is easy and tempting to blame all breaches upon external parties with malicious intent, these results suggest that far more needs to be done just to tighten procedures within organizations so there are fewer accidents with data.
Errors… are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries.
The ease with which serious mistakes are made can be shown by a breach at Virgin Media, as reported earlier this year. In their breach the contact details of 900,000 customers were made visible to anyone visiting the relevant server because a marketing database was incorrectly configured.
The DBIR report writers believed the rise in the number of reported errors was due to increased reporting, and not by an increase in the fallibility of staff.
…there is a distinct rise in internal actors in the dataset these past few years, but that is more likely to be an artifact of increased reporting of internal errors…
My guess is that breaches due to errors have always been chronically underreported. The person most likely to identify an error is the person most likely to have made the error, with the result that many errors will never be reported to anybody within the organization or elsewhere. Reporting of errors is likely to have risen because governments have been pushing for increased transparency relating to security of data. This is consistent with the report writers’ observation that errors were blamed for a larger proportion of breaches “in industries with mandatory reporting requirements”.
If human attitudes towards data security are consistent with the findings of telco revenue assurance teams then the reason why ‘only’ 22 percent of reported breaches are blamed on errors is because nobody looks for all the other errors that remain unreported. And why would they? If you can name one organization that is eager to reward a member of staff for diligently identifying the mistakes of their colleagues then I will name an organization that has turned human nature upside down.
You can obtain the Verizon Data Breach Investigations Report 2020 from here.