In follow-up to their 2011 Data Breach Investigation Report, which we've talked about, Verizon's Wade Baker has put together an interesting post about a conundrum in the security field: that it takes criminals to find crime. Essentially, the post outlines how it's often fraud committed using stolen data that triggers the breach discovery process.
Although it is rare (5%) for data breaches to take years to discover, breaches involving IP or classified data, vs consumer data are particularly at risk. The report found that, for breaches of IP or classified data, 44% took years or longer to discover. Years.
Why? It is almost certainly because such data is not used for post-breach fraud like payment card and personally identifiable information. Instead, you look up a couple years later and wonder at the surprising similarity between your gizmo and the enhanced version your competitor just launched. The ironic truth is that without the help of the credit card companies and their comparatively mature and effective fraud detection mechanisms, we’re left to our own devices. And that, my friends, spells trouble.
So yes, based on this data, it does appear that fraud helps companies to reactively improve their security by showing them what potential problems they have years before the issues would have been discovered without the fraud.