Two reports published in the last two days are challenging conventional wisdom about how to calculate enterprise security risk –and recommending new evaluations that account for industry-specific threats and potential rewards. Verizon today issued a supplement to the data breach report it published earlier this year. The report, which compares risk factors in six different vertical industries based on actual forensic breach investigations in those industries, indicates that the likelihood of specific types of attacks varies radically from industry to industry. In a separate report, RSA’s Security for Business Innovation Council recommends a new process for calculating enterprise risk that more accurately weighs business rewards against potential security threats.<\/p>\n","protected":false},"excerpt":{"rendered":"
The Verizon report is a collective analysis of some 530 forensic investigations of data breaches that the company has done in large enterprises. It breaks down the causes of the breaches by industry and draws conclusions about the most common types of attacks committed in each. <\/p>\n
In financial services, for example, Verizon investigated many sophisticated attacks involving cooperation of insiders and organized outsiders, as well as social engineering. In the food and beverage industry, on the other hand, the attacks were much less sophisticated, and the likelihood of internal attacks was only about 4 percent, while the likelihood of external and partner attacks was 70 percent to 80 percent. “In food and beverage, though, we saw a lot more repeatable, data-compromise-in-a-box sort of attacks — sort of the way…” Verizon found similar differences in the sophistication and approaches used to attack data in other industries, including retail and high technology.<\/p>\n
Retail, for example, reported the highest number of breach incidents, but a relatively low level of attack sophistication.<\/p>\n
What these results might mean, Sartin says, is that employing a generic risk calculation, such as the likelihood of insider threats, may be a mistake unless industry-specific factors are accounted for.<\/p>\n
http:\/\/www.darkreading.com\/document.asp?doc_id=165107&WT.svl=news2_3<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-196","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=196"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/196\/revisions"}],"predecessor-version":[{"id":2683,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/196\/revisions\/2683"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}