Introduction to industries

This year we collected 157,525 incidents and 108,069 breaches. That may sound impressive until you realize that 100,000+ of those breaches were credentials of individual users being compromised to target bank accounts, cloud services, etc. We break those out into the Secondary motive subset in the Incident classification patterns and subsets section. After filtering for quality and subsetting, we are left with the incidents and breaches in Table 1.

Our annual statement on what not to do with this breakout will now follow. Do not utilize this to judge one industry over another; a security staffer from an Administrative organization waving this in the face of their peer from the Financial sector and trash-talking is a big no-no. The number of breaches or incidents that we examine is heavily influenced by our contributors. These numbers simply serve to give you an idea of what we have to “work with,” and is part of our pledge to the community to be transparent about the sourcing of the data we use in the report.

Figures 51 and 52 come with yet another warning. The numbers shown here are simply intended to help you to get your bearings with regard to industry. The smaller the numbers in a column, the less confidence we can provide in any statistic derived from that column.

For example, there are 35 total assets involved in Construction (NAICS 23) breaches. Of those, multiple assets may be contained in a single breach meaning there are potentially fewer breaches (25) than our asset count. Considering how few breaches we have in this sector, our confidence in any statistic derived from them will be relatively low. However, in an attempt to bring our readers information on more industries, we have upped our statistical game. For example, instead of making a statement such as “64% of Construction breaches involved a server,” we would state “between 44% and 82% of breaches in Construction involved servers.” This is not an attempt to be coy,³⁹ we simply want to give you as much information as possible without being misleading, and in industries with such a small sample, that means using statistical ranges. You may notice something similar in bar charts where the black median dot is removed. Please keep an eye out for the “Data Analysis Notes” at the bottom of the Summary table chart in each section. We will be pointing out things such as small sample sizes and other caveats there. Check out the Methodology section for more information on the statistical confidence background used throughout this report.

Another improvement on this year’s report is that we have standardized our control recommendations through a mapping between VERIS and the CIS Controls. Each industry will have a “Top Controls” list on their Summary table. You can find more details about our mapping in our CIS Critical Security Control recommendations section.