Data breach reality check

In searching for information relating to GDPR and privacy for next month's awareness module, I bumped into the Business Continuity Institute's Horizon Scan 2017 report.

The report's headline data come from a survey of 666 business continuity and risk management professionals from Europe and North America (mostly), concerning their perceptions about threats and incidents ... and immediately a few issues spring out at me.

First of all, the survey population is naturally biased given their field of expertise: although sizable, this was clearly not a random sample. As with all professionals, they probably overemphasize the things that matter most to them, meaning serious incidents that actually or are believed to threaten to disrupt their organizations. It's no surprise at all that 88% of BC pro's are concerned or extremely concerned about "cyber attack" - if anything, I wonder what planet the remaining 12% inhabit! On the other hand, BC pro's ought to know what they are talking about, so their opinions are credible ... just not as much as hard, factual data concerning the actual incidents.

On that score, this year's report provides information on actual incidents:

"A new metric introduced in the BCI Horizon Scan Report measures actual disruption levels caused by the threats listed in figure 1 in order to provide a comparison against organizations’ concerns. Figure 2 shows a contrast between the levels of disruption caused by a particular threat and how concerned an organization is about it. The study shows the actual causes of business disruption slightly differ from the threats practitioners list as significant concerns. The top causes of business disruption according to the same respondents include unplanned IT and telecommunications outages (72%), adverse weather (43%), interruption to utility supply (40%), cyber attacks (35%) and security incidents (24%)."

The discrepancy between BC pros' perceptions and reality is quite marked. I'll come back to that in a moment.

Second, the way incidents (and/or threats - the report is somewhat ambiguous over the difference) are described puzzles me.  Here are the top 7, ranked according to the proportion of respondents who claimed to be "extremely concerned":

1. Cyber attack (e.g. malware, denial of service) 
2. Data breach (i.e. loss or theft of confidential information) 
3. Unplanned IT and telecom outages 
4. Security incident (e.g. vandalism, theft, fraud, protest) 
5. Adverse weather (e.g. windstorm, flooding, snow, drought) 
6. Interruption to utility supply (i.e. water, gas, electricity) 
7. Act of terrorism

These are indistinct, overlapping categories - for example #1 and #2 often occur together, and both often accompany other categories such as #3, #5 and #6. #2 "Data breach" is a specific type of incident outcome with a huge variety of causes, ranging from deliberate attacks by outsiders or insiders, to accidental disclosures and ineptitude, plus thefts of IT equipment and storage media ... speaking of which #4 "Security incident" in fact refers to physical security incidents, judging by the examples.

#7 "Act of terrorism" seems way too high on the list for me ... but whether that's because I am fortunate enough to live and work in a tranquil backwater, or because the terrorists are winning (creating terror, even among supposedly level-headed BC pro's!), or is a genuine reflection of the threat level, I can't easily tell.

The top 7 actual causes of incidents tells a rather different story to the list above:

1. Unplanned IT and telecom outages 
2. Adverse weather (e.g. windstorm/tornado, flooding, snow, drought) 
3. Interruption to utility supply (i.e. water, gas, electricity, waste disposal) 
4. Cyber attack (e.g. malware, denial of service) 
5. Security incident (e.g. vandalism, theft, fraud, protest) 
6. Transport network disruption 
7. Availability of talents/key skills (e.g. ‘bench strength’)

"Cyber attack", the #1 perceived threat, turns out to be #4 on the actual causes.  "Data breach" drops way down from #2 perceived to #8 in actuality, while transport disruption and lack of talents/key skills appear to be significant risks that are not perceived as such. "Act of terrorism" comes in at a more realistic (but still far too high, as far as I'm concerned) #13 on the actual causes.

Those discrepancies seem to indicate serious problems with the risk identification and assessment processes used by BC pro's for BCM purposes, which in turn are presumably being used to plan and prioritize BC activities ... or do they? One could argue that actual incidents are historically based, while BC pro's are paid for their expertise in predicting the future - professional soothsayers you could say. Hmmm.  Food for thought there.

Moving to the report's conclusions, I'm impressed to see this issue picked out in black and white as the first item:

"1. Organizations need to focus on the objective appraisal of threats and their particular impacts.

This year’s report has highlighted some gaps between the level of concern and actual disruptions caused by various threats. For example, the study noted significantly high levels of concern over cyber attacks and data breach which may be influenced by increased media coverage. Business disruptions nonetheless are still mainly driven by other threats such as unplanned IT and telecom outages and adverse weather. As such, organizations need to continually look at the business impacts of various threats and deploy appropriate tactics to become more resilient."

Well said! It would be interesting to explore why there are such marked discrepancies between perception and reality among BC pro's, since that would be an obvious handle to improve the alignment if appropriate (conceivably the BC pro's are right after all - perhaps we'll see changes in the actual causes in future reports!).

Anyway, back to the plot, the survey inspired the following graphic that we'll include in the awareness content (citing the source, of course):