Verizon's 2012 Data Breach Investigations Report was just released and here are my quick thoughts:
While there was an increase in the number of breaches, the good news is that 97% of breaches were avoidable through simple or intermediate controls. There is a low barrier for entry to pull off the majority of these breaches, with 96% of attacks not particularly difficult to execute. In fact, I have yet to see any credible reports linking more than single digit percentages to advanced attacks and the report shows that 79% of victims were targets of opportunity, indicating that organizations don't really have to be a big target, or even on an attacker's radar, to be hit. Bottom line: if you are vulnerable you can expect to be exploited. The good news though is that this also means organizations can significantly reduce their risk through proper vulnerability management, educating users, and implementing network-based access controls lists.
With some controls in place, organizations should improve on the statistic that 85% of breaches took weeks or more to discover and 92% of incidents were discovered by a third party. The truth is there are organizations who have been compromised for over a year and don't realize it. At least the hacktivists let people know when an organization had been breached by them! Many organizations are breached and customers are never aware that their data has been compromised.
Check out the full report here: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-r eport-2012_en_xg.pdf