Ransomware is a large problem for this sector, with financially motivated attackers utilizing it to target a wide array of government entities. Misdelivery and Misconfiguration errors also persist in this sector.
6,843 incidents, 346 with confirmed data disclosure
Miscellaneous Errors, Web Applications, and Everything Else represent 73% of breaches
External (59%), Internal (43%), Multiple (2%), Partner (1%) (breaches))
Financial (75%), Espionage (19%), Fun (3%) (breaches)
Personal (51%), Other (34%), Credentials (33%), Internal (14%) (breaches)
Implement a Security Awareness and Training Program (CSC 17), Boundary Defense (CSC 12), Secure Configurations (CSC 5, CSC 11)
- 2020 DBIR
- DBIR Cheat sheet
- Summary of findings
- Results and analysis
- Incident classification patterns and subsets
- Industry analysis
- Accommodation and Food Services
- Arts, Entertainment and Recreation
- Educational Services
- Financial and Insurance
- Mining, Quarrying, Oil & Gas Extraction + Utilities
- Other Services
- Professional, Scientific and Technical Services
- Public Administration
- Real Estate and Rental and Leasing
- Transportation and Warehousing
- Does size matter? A deep dive into SMB Breaches
- Regional analysis
- CIS Control recommendations
- Year in review
- Appendices (PDF)
- Download the full report (PDF)
I Can See Clearly Now
The Public Administration sector is an illustration of what good contributor visibility into an industry looks like. The bulk of our data in this vertical comes from contributors inside the United States federal government who have a finger on the pulse of data breaches inside Public Administration. As we have stated elsewhere in this report, in order to meet the threshold for our definition of a data breach, the compromise of the confidentiality aspect of data must be confirmed. However, reporting requirements for government are such that run-of-the-mill malware infections or simple policy violations still must be disclosed. Therefore, we see an inordinately large number of incidents and a correspondingly small number of breaches.
When we look at the difference in the attack patterns in this sector, for example, the top three for breaches are Miscellaneous Errors, Web Applications attacks, and Everything Else. When we look at the same data for incidents, the top three patterns are Crimeware (malware attacks), Lost and Stolen Assets, and Everything Else.
With regard to malware in the incident dataset, Figure 92 indicates that Ransomware is by far the most common, with 61% of the malware cases. This malware is most commonly downloaded by other malware, or directly installed by the actor after system access has been gained. However, ransomware isn’t typically an attack that results in a confidentiality breach. Rather, it is an integrity breach due to installation of the software, and an availability breach once the victim’s system is encrypted. Thus, these attacks do not typically appear when we discuss data breaches.
The same is true of Lost and Stolen Assets. These are unencrypted devices or they wouldn’t be considered even at risk of a data breach. Unless, of course, the decryption key is also lost at the same time in human-readable format (before you jeer, keep in mind, we have actually seen this). The data on these devices is most likely protected only by a password, and is therefore considered at-risk in our dataset, and not a confirmed data breach.
In the red corner, Miscellaneous Errors is the most prominent pattern in this industry when looking at confirmed data breaches. Figure 93 shows us that Misdelivery remains a big problem for the public sector. This is when sensitive information goes to the wrong recipient. It may be via electronic means, such as emails that are misaddressed, or it may be old fashioned paper documents. Those mass mailings (and nobody can hold a candle to the volume of paper sent out by government entities) where the envelopes and their contents become out of sync can be a serious problem.
In the blue corner, weighing in at 30% of breaches, we have Misconfiguration, the other contender for the top variety of Error. A Misconfiguration data breach is when someone (usually a system administrator or someone in another privileged technical role) spins up a datastore in the cloud without the security measures in place to protect the data from unauthorized access. There are security researchers out there who spend their time looking for just this kind of opportunity. If you build it, they will come.
Looking back at changes from last year to this, the top three patterns have altered composition quite a lot. The 2019 report showed the top three breach patterns as Cyber Espionage, Miscellaneous Errors and Privilege Misuse. You can see the difference in the rankings in Figure 94. Both Cyber-Espionage and Privilege Misuse declined in our dataset overall this year, and have dropped into the single digit percentages in this sector.
42 Well, except for these ugly tattoos we got on a dare last year.