Did it seem like 2014 saw an unprecedented surge in cyberattacks and breaches, with a whole array of new attacks? That simply isn’t the case, according to the 2015 Verizon Data Breach Investigations Report, which Verizon Enterprise released on Tuesday (April 14).
According to the annual compilation of breach statistics from 70 contributors, including law enforcement agencies, the almost 80,000 security incidents that Verizon’s team examined in 2014 didn’t represent a major surge. They also didn’t represent much that was new in attack techniques: 96 percent fall into nine basic attack patterns, some of which are decades old.
While the details vary from one industry to another, the breach patterns are: miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider privilege misuse; physical theft or loss; Web app attacks; denial-of-service attacks, cyberespionage; point-of-sale intrusions; and payment-card skimmers.
Among the three key payment-card industries, in retail, 91 percent of breaches fell into three categories: point of sale (70 percent), crimeware (11 percent) and skimmers (10 percent). On the financial-services side, 92 percent fell into four categories: crimeware (36 percent), Web apps (31 percent), skimmers (14 percent) and privilege misuse (11 percent). And in accommodation, an astounding 91 percent of breaches fell into a single category: point of sale.
(That may be less surprising after considering that, in a separate report last month, Verizon found that 80 percent of retailers and hospitality companies failed interim tests of their payment-card security.)
But there is something genuinely new in this year’s edition of the report: Verizon has finally crunched enough data to more accurately calculate the cost per record of a data breach. Last year, the best number Verizon could come up with was $201 per record, up from $188 the year before. This year’s more accurate number? Just 58 cents.
However, that’s not a useful number, because the size of breaches can vary wildly and smaller breaches have much lower costs per record than giant, Target- and Home Depot-size breaches. According to Verizon’s new model, for a breach of 100 records, the expected cost is $25,450, or $254.50 per record. For 10,000 records, the cost jumps to $178,960 but the cost per record drops to $17.90. For a million-record breach the cost climbs to $1,258,670 and the cost per record is only $1.26. And at 100 million records, the expected cost is $8,852,540 — just 9 cents per record.