Victim demographics
and industry analysis

  • The data set for this report totals over 100,000 incidents, 101,168 to be exact. After we removed the subsets that were detailed in the prior section, and applied minimum complexity filters, the data set used for core analysis is established. Table 2 is the repre­sentation of that data set broken out by industry and organization size, when known. Our annual statement on what not to do with this breakout will now follow. Do not utilize this to judge one industry over another – so a security staffer from a construction organization waving this in the face of their peer from the financial sector and trash-talking is a big no-no.


  • Our community of contributors, disclosure require­ments, and the population sizes for the industries all play a major part in the numbers above. The actual threat landscapes for organizations are better depicted in Figure 39. This shows what types of attack patterns are more common to your industry, along with breakouts for threat action categories and affected assets. We will explore deeper into the breach jungle, machete in hand, in the individual industry sections.

    Before you flip/scroll over to your industry section, we have aligned several non-incident data sources to industry that are worth your while to peruse first.

    As we break down industries we see, for example, in Figure 40 how FMSE incidents disproportionately affect Professional Services, Healthcare and Finance, while more point of sale-centric industries appear towards the bottom of the list. However, it’s clear that FMSE incidents affect all industries, so all organizations need to be trained and prepared to prevent them.

  • Figure 40
  • Phishing

    Figure 41 ranks the click rates per industry for sanc­tioned security awareness training exercises. This data was provided by several vendors in this space, and merged together for analysis. While we realize we were relatively strict earlier about curtailing trash talk on the above Table, feel free to use this for some good-natured banter on an as-needed basis. Just be sure to keep it at an appropriate level. “Not looking so hot anymore for someone who works outside, Construction” is approximately the correct amount of snark (trust us, we are experts). On a positive note, all industries are clocking in with percentages that are less than the overall percentage in this study 2 years ago. So, this calls for much rejoicing.

  • Figure 41
  • Denial of Service

    Over time DDoS attacks have been getting much more tightly clumped with regard to size (similar to Manufacturing in Figure 42). However, as other industries illustrate, that is not always the case. Some industries, Information for instance, experience attacks across a much wider range. Another important takeaway is that the median DDoS doesn’t change much from industry to industry. The difference between the biggest and smallest industry median is 800Mbps and 400Kpps.

  • Figure 42
  • What’s your vector, Victor?

    Figure 43 takes a look at the median percentage of malware vectors and file types per industry; in other words, it helps you know where to look for the malware that’s coming in to your organization and what it will most likely look like. First of all, the majority of initial malware is delivered by email. Secondary infections are downloaded by the initial malware, or directly installed and, as such, are more difficult for network tools to spot. Secondly, though it varies a bit by industry, Office documents and Windows applications are the most common vehicles for the malware along with "Other" (archives, PDFs, DLLs, links, and Flash/iOS/Apple/Linux/Android apps).

  • Figure 43