- Dave Nelson, CISSP, is president and CEO at Integrity.
Information security professionals and business leaders from around the state will converge on Ankeny on Oct. 4 for the fifth annual Secure Iowa Conference. There will be sessions on digital forensics, developing information security programs, and everything in between. (Attendance is free and you can register at www.secureiowaconference.com.)
A theme in many of the presentations will be the rise of specific attacks. Presenters will discuss the nature of current threats against companies and technology platforms. Attendees will hear from the FBI about the types of cybersecurity attacks they are seeing, specifically in Iowa.
What I wish we had, though, were better statistics. We’ve got data, statistics, analysis of big data and so on to prove any narrative we want to espouse. The problem is, we can’t believe all of it.
The reason isn’t that the data is faulty or inaccurate. The problem is that the data is incomplete. We are missing huge, and I mean huge, chunks of data about breaches.
The Verizon Data Breach Investigation Report has been published for a decade now. In the last report they even noted that some statistics may be skewed because a firm that participated in previous reports did not participate this year. That firm specializes in a certain type of breach, and therefore a lot of that data is missing from this year’s report.
Because of these large chunks of missing data, we don’t truly know how many unpatched servers were compromised or how many incidents actually resulted in a breach. The vast majority of incidents are never reported.
Think of it this way: Are you going to call the police every time you have a virus outbreak that takes a system offline or encrypts your files? Probably not, but it was a reportable security incident that would affect breach statistics. Are you going to call the FBI when someone sneaks a peek at personnel records to see what salary everyone on the team makes? Doubtful, but that’s still a security incident.
Millions of these events go unreported each year because they either don’t result in much if any monetary damage or you simply handled the issue in-house or you didn’t want the potential media exposure.
Don’t get me wrong, cybersecurity is absolutely a huge problem and we are under attack every minute of every day. The evidence we have suggests things are getting worse. I just hate to say for sure how much worse or in what ways when we don’t have all the data.
So I’m going to ask for your help. When you have a security incident, file a report with the FBI at www.ic3.gov. Most of these cases will never be investigated. However, the information you provide will help us have better statistics about the types and source of attacks we are facing today. This will only help in determining the best way to overcome our adversaries.