Anyone who ever told you not to judge book by its cover never picked up a copy of Verizon's latest Data Breach Investigations Report (DBIR).

The 2014 edition of the benchmark yearly volume covers 57 pages of text and 1,367 discrete breaches among 63,437 security incidents in 2013, yet the most important two numbers are lifted right from the cover: 92 and nine.

Of the more than 100,000 incidents investigated in the decade Verizon that has published the report, 92 percent fall within nine attack patterns.

The lesson to draw? Despite how overwhelming the task of enterprise cyber security might seem, whether you're a Fortune 500 firm or a single-doctor office, smart risk management, even at the broadest level, can go a long way in cyber security. 

Since 2008, the cyber security team at Verizon has delighted cyber professionals with their insight, wit and data slicing skills. The yearly report is required reading for anyone in IT. It's smart alecky in parts, just plain smart throughout and, all in all, an invaluable and entertaining read for cyber professionals, IT or, frankly, anyone whose life is at all impacted by computing, which is to say everyone up to and including the cryogenically frozen.

Yet, it's most useful data point is right on its front.

Of the 100,000 incidents reviewed in the past decade, 92 percent belong to nine attack patterns.

At its heart, cyber security is about lowering risk profile. Short of locking your servers in a room like something out of "Mission Impossible," absolute protection isn't achievable. And even the secure facility in "Mission Impossible" would be vulnerable to insider attacks and/or Tom Cruise. But having a broad understanding of how to get the most impact out of your efforts is an invaluable tool.

After all, most IT environments and the cyber-eenos dedicated to protecting those environments are overwhelmed by the massive amounts of data that whiz through their networks. How do you protect the overall enterprise in a cost-effective manner? Where do you start? What security controls should be applied first? How to focus in on the essence and enable the most effective controls? How indeed?

Now, Verizon has held a large candle up in this room of darkness and has categorized a massive amount of data into bite-size chunks that cyber professionals can consume bit by bit (literally.)

These are the nine patterns:


On the other hand, retail is hit quite often with POS issues (which, across all sectors, account for 31 percent of all incidents), but that is not the leading attack pattern overall. That dubious honor goes to DoS at 33 percent.(No other industry has more than 19 percent of their security incidents attributable to this category. So, why is healthcare failing? Simply put, lack of encryption. Industries that have embraced encrypting all protected data being stored or transmitted have substantially smaller amounts of data leakage via this method.)Bringing even further good news to the party—they have also produced actionable information—by characterizing these patterns by frequency of occurrence by industry. Hence, if you are in healthcare for instance, you get hit right between the eyes by this summary: "46% of healthcare industry security incidents involve theft or loss of protected data."

But remember, in terms of risk management, if 64 percent of all security incidents reported industry-wide are in only two categories, then that becomes an obvious place to start when designing security controls to mitigate those risks. Retail is all about conducting secure transactions. Knowing the top two attack vectors narrows the defense focus. Healthcare is about encryption. The report is full of other useful examples to broadly understand what you, as an IT user, is up against.

Thus, the DBIR, in addition to simply being a good read, is a beacon when trying to understand the specific issues peer organizations in a specific industry are facing.

As the 2014 DBIR shows, the attack profiles change year to year, but by remaining vigilant and understanding unique industry trends that emerge, it is possible to greatly reduce risk of data compromise without completely blowing a limited IT budget.

Start aligning your resources where the attack patterns are. Consider a cyber security assessment to identify common risks. Treat cyber security as you do medicine, and understand it is cheaper and more beneficial to approach with a preventative mindset, rather than treating after a disease or an attack has ensued.

Courtesy of Verizon, start on page 1. Literally.

The opinions expressed in this blog post are the writer's own and may not reflect NJVC, LLC. NJVC is not implying endorsement or association with Verizon. To visit Verizon's site and download a copy of the report, click here.