Security Researchers Challenge Claims Data Breaches Increasing
Verizon is not the only industry participant to note a dangerous change in attack trends. In its annual M-Trends report, incident response firm Mandiant Consulting, now a part of security company FireEye, interestingly did not note an overall increase in breaches in 2015, but did note "an increase in the number of disruptive attacks that we responded to" and that "more breaches than ever before became public knowledge." The other major attack trends included reports that Chinese-linked attackers are stealing large amounts of personally identifiable information and that attacks are targeting networking gear, the M-Trends report stated. "I think there is a higher frequency of more serious, more impactful breaches that are happening now," Charles Carmakal, vice president of incident response for FireEye, told eWEEK. While the report gave relatively little data on actual incidents, the company did note that the time to detect a breach had decreased on average to 146 days in 2015, from 416 days in 2011. While that's positive, Mandiant added, "In our experience, 146 days is 143 days too long."In addition, Verizon's Sartin and Mandiant's M-Trends report both stressed an increase in attacks targeting intellectual property. Those types of attacks are typically hard to detect and hard to quantify in terms of cost, said Benjamin Edwards, a Ph.D. student in the Adaptive Systems Lab at the University of New Mexico and the co-author of the report showing that, over a decade, publicly disclosed breaches have not increased in impact. "It is difficult to obtain reliable data on how much data breaches cost—or any other obvious measure of impact—so assessing impact quantitatively is still a challenge," he said. "Thus, our results do not necessarily contradict [Mandiant's]." Finally, the differences in the subjects of each study could also explain the different conclusions. Mandiant and Verizon see an increase in total reported breaches, but as more companies take security seriously, the number of companies reporting breaches—and thus the total number of breaches—rises. That can still happen even if academic researchers are seeing a constant number of incidents per year at any one particular firm. The next step is to give companies a better understanding of how to best allocate their security budgets based on data analysis, Stanford's Kuypers said. The researcher aims to develop a better way for companies to gauge the impact of their security budgets. Full disk encryption, for example, has dramatically reduced the costs of dealing with lost devices, while two-factor authentication has reduced the damage from lost credentials, he said. Unfortunately, because of a lack of breach data, finding better models to measure risk and predict costs is difficult. "For an organization with a million dollars to spend on security, it's really hard to tell them where to put the money for the greatest risk reduction," he said.
While the data from academic researchers and industry experts appears to contradict each other, both could be true. Breach data typically includes incidents where a device is lost or stolen, while the upwards trend noted by Verizon excludes such incidents.