When you have bad data, you quickly run out of things to do with it. When you have great data, the more you examine it, the more questions it prompts. Take, for example, the updated statistics on third-party notification -- 52% of breaches at large enterprises and 23% at small enterprises were first noticed by unrelated third parties, and almost all of those were cases of espionage. (This doesn't include breaches that were detected by common point-of-purchase fraud detection, by the way; those are considered to be related parties.)
First of all, you would think that the larger percentage would be at smaller enterprises; aren't they the ones who are less likely to be able to find things themselves? On the other hand, espionage probably targets larger enterprises, so maybe it makes more sense the way it is.
But there's a third thought buried in here: Could it be that more breaches are discovered by unrelated third parties because of the growth of threat intelligence overall? If you put more intelligence in the hands of central traffic nodes such as ISPs, then they're bound to find more in what they're already seeing. And if there are more threat intelligence vendors, then they are more likely to contact enterprises when they see indicators of compromise that they already know from other cases. So this increase might actually be a good sign.
One more heretical thought: The DBIR doesn't contain any information about the failures of organizations to detect their own breaches. Is it that they weren't doing any monitoring? Were they monitoring, but just not doing it very well? Or did they have all the latest and greatest security monitoring tools, but they didn't actually work?
I'm just going to leave that out there for the next round of drinks.
Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.