A company that suffers a data breach involving just 100 records could expect to be dealing with a cost measured in the tens of thousands of dollars, according to Verizon’s 2015 Data Breach Investigations Report.
The vendor analysed 200 global cyber liability insurance claims related to data breaches, looking at the cost per record starting from 100 records and going all the way up to 100 million records. It is the first time Verizon has published details of the model, which is designed to help people estimate the financial impact of a data breach.
The actual cost incurred by a breach can vary substantially depending on a business' industry
“One of the most significant factors is the type of data lost, which can be anything from payment card details to medical records,” states the report.
“This is the first time we’ve taken a comprehensive model. We’ve looked at breaches all the way from a single case up to thousands of records. Our data scientists have looked through 12 terabytes of breach data to build the model,” said APAC head of security Robert Parker.
“This is a framework for any breach going forward. The feedback I have had is that people understand the data breach information but their board wants to make that meaningful to the organisation with the financial risk of a breach.”
Breaking down confirmed data breaches in 2014, Verizon found that 96 per cent of them related to nine attack patterns. The biggest percentage — 28.5 per cent — were attacks involving point of sale (POS) systems. In 2013 and 2014 the US retail industry was been rocked by a number of high profile POS-based attacks on brands including Target, Home Depot, Neiman Marcus, White Lodging, Michaels and The UPS Store.
The next biggest category of breaches, at 18.8 per cent, involved 'crimeware' (Verizon's term for any use of malware to compromise systems). Crimeware was followed by cyber espionage (18 per cent), insider misuse (10.6 per cent), Web applications (9.4 per cent), and errors (8.1 per cent). In 3.3 per cent of Meanwhile, 3.3 per cent of data breaches physical theft, and 3.1 per cent involved card skimming.
As part of its research for the report, Verizon assessed the effectiveness of phishing emails. The report also included some insights about how attackers set up for a data breach. For example, Verizon analysed 150,000 phishing emails that were sent out.
"We aggregated the results of over 150,000 e-mails sent as part of sanctioned tests by two of our security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data (where the real damage is done)," the report states.
"The data showed that nearly 23 per cent of users open e-mails and click on phishing links within the first hour."
“From the start of that campaign it took 82 seconds before someone had been compromised. You would think today that people know not to click on links,” said Parker.
“The authors of phishing emails are becoming much more sophisticated. It is much more difficult to see at a glance if that is a legitimate email from a bank or online retailer. The second part is education,” he added.
Parker said that one of the key takeaways was that 10 of the top vulnerabilities accounted for the overwhelming majority of exploits in 2014. “Those are vulnerabilities that can be patched so having a patching regime will help,” Parker said.
Follow Hamish Barwick on Twitter: @HamishBarwick