Interesting Data about Data Breaches

In a recent ESG Research survey, we asked security professionals at enterprise organizations (i.e., 1,000 employees or more) whether their organization had suffered a data breach within the last year. Here are the results:

Yes, several incidents: 11% Yes, one incident: 23% No: 63% Don't know: 3%

My analysis:

1. In total, 34% of these enterprise organizations suffered at least one breach. This is consistent with other ESG Research surveys over the past 5 years, indicating that the data breach problem is not getting any better.
2. Curiously, organizations that must comply with more than three government or industry regulations suffered more breaches (19% of those organizations surveyed suffered more than one breach) than those that must comply with less than three government or industry regulations (6% of those surveyed suffered more than one breach). The obvious explanation is that the definition of a data breach is driven by regulatory compliance, thus the more compliance mandates, the more potential data breach incidents. This makes logical sense, but there is also an underlying cause for concern. Those organizations mandated to comply with lots of government and industry regulations tend to be the biggest organizations with matching IT and security budgets. If this is true, than the data indicates that large security budgets and resources do not necessarily equate to fewer data breaches.
3. Thirty percent of federal, state, and local government organizations suffered more than one data breach over the past year. This is significantly higher than the cumulative average of 11%.

Read more of Jon's blog entries at Insecure About Security.