This week the 13th edition of the Verizon Data Breach Investigations Report (DBIR) was released, which is usually a hallmark event of the cybersecurity world. As we have been in previous years, BitSight is proud to be a data contributor to the report. After taking some time to give it an initial read through, however, one thing stood out loud and clear to us: how little has changed after 13 years.
Going back to revisit the 2019 and 2018 reports, our suspicions were confirmed-- sure a few percentage points have changed here and there, but overall the state of the cybersecurity world is much the same.
Does this mean the DBIR is irrelevant? A relic of a bygone era that we cling to because we always have?
Hardly.
Our main takeaway is that Instead the 2020 DBIR is another excellent, very well-researched piece of work that illustrates the need for change in our industry. Security and risk leaders appear to be doing the same things, year in and year out, with the same predictable results. If those results reflected perfect performance, the lack of change would be comforting. But instead the report shows that while the attack methods evolve (see: the rise in ransomware), organizations of every size continue to be vulnerable to breach.
So we here at BitSight would say that rather than dismissing the report as more of the same, it should serve as a clarion call to security pro’s everywhere that we need to rethink how we approach security, and a data-based demonstration that we need to break out of old habits and old thinking.
At 119 pages the DBIR is a lot to digest, however a few things already stood out to us as we dove into the report, and took a glance back at last year’s:
Our big takeaway from the report is that security is still approached as a tactical security problem, instead of as a strategic risk problem.
As we’ve already said, what jumped out was how little has changed in terms of the breach numbers. What is interesting, however, is even as business evolves, the success of bad actors remains the same. As more business migrates to the cloud and web-apps, bad actors are adopting their methods and changing things up to stay one step ahead.
Simply putting in the same firewalls, using the same security controls, and conducting the same anti-phishing training is not going to change the status quo. Security and risk leaders need to change their thinking and focus on gaining visibility into the attack surface, incidents of human error, where risk is concentrated, and objective metrics to drive accountability for improvement. Without making these changes, we fear that the 2021 Verizon Data Breach Investigation Report will look much the same as it did in 2020...and 2019...and 2018.
When it comes to reporting to the board, there are plenty of tools at the CISO’s disposal. Looking at the right metrics and putting them in the right context can help turn your next board meeting into a source of confidence, not stress....
Remote work has always introduced unique and evolving cyber risks. In our “new normal” operating environment, where entire workforces have gone remote, IT security teams are facing an unprecedented challenge.
The payment card industry (PCI) has long been a Holy Grail target for bad actors for obvious reasons. Visa, Mastercard, and American Express account for the bulk of the consumer financial activity in the United States. Breaching them would...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469