Tips on Getting the Most from This Report

In the 2009 report, we wrote:

“These findings relate specifically to the occurrence (likelihood) of security breaches leading to data compromise … not attacks, not impact, not general security incidents and not risk.”

The study has since evolved to include security incidents and not just breaches for many findings, but the rest of the statement holds true to this day. The information, provided in aggregate, is filtered in many ways to make it relevant to you (e.g., by industry, actor motive). It is a piece of the information security puzzle—an awesome corner piece that can get you started—but just a piece nonetheless. The rest is filled in by you. You (hopefully) know the controls that you do or do not currently have to mitigate the effectiveness of the threat actions most commonly taken against your industry. You know the assets that store sensitive data and the data flow within your environment. If you don’t – get on that. You also know your own incident and data-loss history. Use your own knowledge combined with the data from our report; they complement each other.

First-time reader?

Don’t be shy—welcome to the party. As always, this report is comprised of real-world data breaches and security incidents—either investigated by us or provided by one of our outstanding data contributors.

The statements you will read in the pages that follow are data-driven, either by the incident corpus that is the foundation of this publication, or by non-incident datasets contributed by several security vendors.

We combat bias by utilizing these types of data as opposed to surveys, and collecting similar data from multiple sources. We use analysis of non-incident datasets to enrich and support our incident and breach findings. Alas, as with any security report, some level of bias does remain, which we discuss in Appendix D.