Introduction to Industries

If you are a long-time reader this introduction may be redundant, but for new readers it is worth perusing. This year we looked at 23,896 incidents, which boiled down to 5,212 confirmed data breaches. As always, we break these incidents and breaches into their respective industries to illustrate that all industries are not created equal. At least not when it comes to attack surfaces and threats. The type of attacks suffered by a particular industry will have a great deal to do with what infrastructure they rely upon, what data they handle, and how people (customers, employees, and everyone else) interact with them.

A large organization whose business model focuses entirely on mobile devices where their customers use an app on their phone will have different risks than a small Mom and Pop shop with no internet presence, but who use a point-of-sale vendor that manages their systems for them. The infrastructure, and conversely the attack surface, largely drives the risk.

Therefore, we caution our readers not to make inferences about the security posture (or lack thereof) of a particular sector based on how many breaches or incidents their industry reports. These numbers are heavily influenced by several factors, including data breach reporting laws and partner visibility. Because of this, some of the industries have very low numbers, and as with any small sample, we must caution readers that our confidence in any statistics derived from a small number must also be less. 

When examining industries with a small sample, we will provide ranges where the actual value may reside. This allows us to maintain our confidence interval while giving you an idea of what the actual number might be, given a large enough sample. For example, instead of stating “In the Accommodation industry, 92% of attacks were financially motivated,” we might state that “financially motivated attacks ranged between 86% and 100%.” Check out our riveting Methodology section for far more information about the statistical confidence background used throughout this report.

If you are reading this only for a glimpse of your industry, our recommendation is to verify what the top Patterns are on the summary table accompanying each industry and also spend some time with those Pattern sections. In addition, we provide a description of what Critical Security Controls (CSC) to prioritize in each industry section for ease of reading if you want to get straight to strategizing your security moves.