Last year’s Verizon Data Breaches Report showed that over the last 10 years that 92% of data breaches fall into just the 9 same patterns. Verizon produces one of the most comprehensive threat reports out there giving us a really good view into what happens in the cybersecurity industry. It is instructive to understand a little more about these numbers. The highest incident type is POS intrusions. Meaning people that are getting breaches via point of sale devices, at 28.5%. The second highest at 18.8% is crimeware. Crimeware is customized criminal software designed specifically to exploit a victim. Such as malware, virus, worms, ransomware, etc. trying to accomplish specific criminal activities such as spamming, data theft, extortion. The third most prevalent type at 18% is cyberespionage, which is the hackers trying to gain specific types of information in opposition to another party. So the top three account for over 65% of all incidents.
These numbers tell us something very valuable. They tell us that we are not trying to stop dozens or hundreds or even thousands of attack categories. But we can get most of the job done with about 9 different attack patterns. We can even make a large dent in our problem by focusing on the top three and address 65% of attacks.
This is very instructive in something I have referred to frequently and that is the need to be 100% perfect with our cyber defense. This simply an impossibility. We can never get to 100% with cybersecurity. I heard one of my colleagues say the other day. As soon as you give a person access to a system, the cyber defense immediately falls below 100% secure. This is certainly true. So our goal is success, not perfection. Because while we are preparing for perfection, and trying to build a cyber defense system that is 100% the cybercriminals are exploiting our current system.
Get To 80%
Get to 80% and move forward. You will make mistakes along the way. But if you keep trying to get to 100% or even 92% you will wait too long and the hackers will get the upper hand. I was working on a company a few weeks ago and they had spent so much time putting together their new cyber defense system, that by the time they called me they were in the midst of a major attack. And they did not even know it. Because their own system had not been implemented yet.
Eighty percent and move, work through the mistakes and bugs along the way. But at least you will have the bulk of your system built. This Verizon report is a good starting point. Start from the top and work your way down. As you get through the list your cybersecurity posture gets stronger and stronger. Cybersecurity is a fluid environment, it is imperative that you must be fluid also.