Understanding the consequences of cyberattacks and the importance of putting cybersecurity measures in place is more important today than ever before. Therefore, the need for data-driven breach statistics and facts from the cybersecurity field is critical.
“Yes” or “no” questions won’t help you better understand your vendors’ (or your own) cybersecurity posture—but actionable metrics will.
Below, we’ll highlight seven reputable sources for solid cybersecurity data. This list is by no means exhaustive—but the sources listed are an excellent place to start your search. The information you find will help you better express the criticality of cybersecurity within your own organization.
Sources Of Analysis
The following three sources are summaries of aggregated data breach statistics that have been pulled together in report form about breaches in a particular region, industry, or as a whole.. These reports are the result of the research from industry experts who have studied the field for years (or even decades) and are filled with high-level analysis and actionable data.
If there’s one data breach statistic report that industry insiders look out for every year, it’s Verizon’s DBIR. Verizon gathers their information from a variety of public and private sources in the security and law enforcement arenas. The 2016 DBIR sparked a healthy discussion within the security community concerning research methodology, but still remains a solid source for data breach information.
“Four out of five victims [of a breach] don’t realize they’ve been attacked for a week or longer.”
Source: 2016 Data Breach Investigations Report | Verizon
California Attorney General Kamala Harris is on the forefront of policing and examining cybersecurity, and this source demonstrates the amount of attention that her office has paid to cyber crime. In February 2016, the attorney general’s office released a report of breaches in the state of California since 2012. Because California requires companies to report when they experience any information loss (including the information of both employees and consumers), there is a great deal of interesting information analyzed in this report.
If you skip to the “Findings” section, there some great visualizations of the state data (for example, you can look at how the mean and median breach sizes have changed year by year). We believe this serves as an excellent example for how other states should follow suit and provide exploratory analysis for their citizens.
“While the total number of breaches did not increase in the past year, the total number of Californians affected rose dramatically from 4.3 million in 2014 to over 24 million in 2015.”
Today, BitSight offers 13 industry reports that cover various cybersecurity topics, from fourth-party network security to the criticality of botnets. In the latest BitSight Insight report, we explored the rise of ransomware, how the rate of ransomware attacks have grown, the industries most susceptible to infections, and potential methods for mitigation. Our dedicated team of data scientists are consistently looking into industry trends and publishing new reports—so be sure to check back quarterly.
“Ransomware infections in education and government have more than tripled over the past 12 months.”
Incident-level reports go straight to the source of the information. These are primary sources with unadulterated information and unbiased facts. For example, if you wanted to get the details about a particular large data breach and see how it impacted the companies that used the breached party as a vendor, you could do so through these incident-level reports.
4. State Incident Reports
With the exception of Alabama, New Mexico, and South Dakota, all states in the U.S. have a mandatory data breach reporting statute whereby if a company experiences any data loss, they are required to report it to a particular agency or individual within their state. But only a handful of states then publish that information on their website for public consumption. At BitSight, we’re largely in favor of this information being easily accessible, as it helps protect consumers and keeps them informed when their data may be at risk. Here are a few state agencies with a public interface:
If your state doesn’t provide this type of information and you want to see it, make your voice heard. Tell your state officials that you would like to see this data, and work proactively toward this goal. In the meantime, consumers and organizations who want more information about potential information compromise can request it using the Freedom of Information Act (FOIA) process.
The Identity Theft Resource Center is a nonprofit organization “established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cyber security, scams/fraud and privacy issues.” It offers write-ups of breach information that are presented in clear, easy-to-browse formats. Its search functionality allows individuals to filter data by company size, industry, and more.
Privacy Rights Clearinghouse has been around since 1992 and focuses on helping people “protect their privacy by providing direct one-to-one assistance, creating original educational publications, and advocating for consumer-friendly policy.” Privacy Rights Clearinghouse has recorded over 5,000 public data breaches gathered since 2005. You can sort through these records based on year, organization type, or type of breach.
This dynamic bubble chart allows you to visualize breaches in a very different way. There are a number of filters—from type of organization, to year of the leak, to method of the leak—that will help you glean the information you’re looking for. In the future, we’d love to see more reputable sources creating these visual reports and infographics. Cybersecurity is a serious topic, but presenting it in a visually appealing way will engage a broader audience. Not everyone will read a 75-page cybersecurity analysis, but they may be interested in seeing how breaches stack up to one another in regard to record count.
Making Data Breach Statistics Actionable: Your Next Step
Having constant access to reputable data breach sources is critical—but ensuring your organization doesn’t become one of the data breach statistics you read about is a different ball game entirely. Cybersecurity is rapidly changing and so are the best practices therein. If you want to get a better idea of the three main ways your organization may experience a cybersecurity incident and a sample of metrics you can put in place to mediate risk, download the free guide below.