90% of US companies have been breached!
90% of US companies hacked!
90% of US companies have been victims of cyber attacks!

These are the sorts of headlines coming out from a survey by Ponemon sponsored by Juniper, named (for reasons that are unclear) “Perceptions About Network Security.” [pdf] These are also the sorts of headlines that I immediately question, namely: “What is your definition of a cyber attack/breach?” Sadly, the report doesn’t answer this question, but does hint that any sort of security incident counts, even if it happened to someone else who had some information from your company (i.e. Episilon email ‘marketing’ breach) or some workstation issue which is never defined. Normally, I wouldn’t even bother posting about the survey, but I keep seeing those stupid headlines mentioned at the top…

Ok, fine, page 6 does start to hint at the sorts of incidents we’re talking about in Bar Chart 8 where “malware” is featured in 5 of the 8 breach causes. I’m sorry, but largely incidental malware attacks don’t necessarily count as “cyber attacks” or “breaches” to me. (Yes, I understand that is arguable, in fact, that’s my point.) The same goes for lost or stolen laptops. Far too many of those incidents are going to be non-targeted crimes of opportunity.

I do buy that 90% of companies probably do suffer computer insecurity incidents. I just dislike the sensational tone so many headlines are taking. Like 90% of them are pwned and attacked and being stolen from by attackers in targeted incidents. Hell, the number should be 100%.

I had more to post, but it’s just all me complaining about the report being misleading, laughably funny in other places, supportive in the obvious places (no shit, complexity and resources are challenges?), and having a few concluding recommendations based on weak supporting evidence (e.g. 2 leading questions). None of that helps anyone, so I excised it. 🙂