I Can See Clearly Now
The Public Administration sector is an illustration of what good contributor visibility into an industry looks like. The bulk of our data in this vertical comes from contributors inside the United States federal government who have a finger on the pulse of data breaches inside Public Administration. As we have stated elsewhere in this report, in order to meet the threshold for our definition of a data breach, the compromise of the confidentiality aspect of data must be confirmed. However, reporting requirements for government are such that run-of-the-mill malware infections or simple policy violations still must be disclosed. Therefore, we see an inordinately large number of incidents and a correspondingly small number of breaches.
When we look at the difference in the attack patterns in this sector, for example, the top three for breaches are Miscellaneous Errors, Web Applications attacks, and Everything Else. When we look at the same data for incidents, the top three patterns are Crimeware (malware attacks), Lost and Stolen Assets, and Everything Else.
With regard to malware in the incident dataset, Figure 92 indicates that Ransomware is by far the most common, with 61% of the malware cases. This malware is most commonly downloaded by other malware, or directly installed by the actor after system access has been gained. However, ransomware isn’t typically an attack that results in a confidentiality breach. Rather, it is an integrity breach due to installation of the software, and an availability breach once the victim’s system is encrypted. Thus, these attacks do not typically appear when we discuss data breaches.
The same is true of Lost and Stolen Assets. These are unencrypted devices or they wouldn’t be considered even at risk of a data breach. Unless, of course, the decryption key is also lost at the same time in human-readable format (before you jeer, keep in mind, we have actually seen this). The data on these devices is most likely protected only by a password, and is therefore considered at-risk in our dataset, and not a confirmed data breach.