Data breaches, in one form or another, occur every single day. In fact, 2016 was a record-breaking year for data breaches, with more than 1,000 reported breaches that impacted U.S. consumers.
How have data breaches changed over the years, and what measures have been taken to prevent them? What more can be done? What can you do to protect your business information and the information of your customers?
Yesterday & Today
The Privacy Rights Clearinghouse has compiled a master list of data breach incidents in the U.S. since 2005. As of this writing, there are more than 7,000 entries on that list. Then, and now, hacking is a common cause of data breaches. And the sheer number of people impacted—as well as the ways they’re impacted—can be staggering.
The differences in comparing old cases to new ones largely lie in the number of incidents taking place and the difficulty in calculating just how many people are affected. Some of the most serious hacking cases have happened in the past few years:
- 38 million Adobe software users had their financial and personal information stolen in 2013, leading to a $1.1M settlement in 2015.
- In February 2015, a data breach at Anthem Insurance led to the theft of personal information for 78.8 million customers.
- In 2014, a data breach at Home Depot involved the credit and debit card information of an estimated 56 million customers.
These are just a few examples, but perhaps it gives you a view of where we’ve been and where we are.
How Hackers Strike
One of the most famous consumer data security breaches took place during the Christmas season of 2013. Credit and debit card information for 40 million people was exposed to hackers, along with the email and mailing addresses of about 70 million. According to a report from Network World, hackers were able to infiltrate Target’s network by stealing network credentials from a business partner. Those responsible for the Home Depot hacking incident used the same method.
J.P. Morgan’s information breach was caused when hackers broke a server that didn’t use two-factor authentication, the report noted.
Another common way that hackers gain access to information is through “phishing” emails. About 20% of untrained users fall for these emails. Even 1-9% percent of trained users also fall for them.
Web malware also ranks high as a preferred tool for hackers. Network World states that pharmaceutical and chemical companies are the most common targets for web malware.
Counting the Costs for Business
A 2016 research report from the Ponemon Institute found that the cost per compromised record to organizations in the United States who experienced a data breach was, on average, $221. This was a 2% increase over the preceding year and is much higher than the global average of $158.
While the number of data breaches faced by organizations has gone down quite a bit in recent years, the individual breaches tend to affect more customers and be more costly to remedy.
The report also found that the U.S. organizations were among the best in decreasing the costs of data security breaches through strong security postures, incident response plans, the appointment of a CISO, and the use of outside consultants during the data breach remediation.
U.S. companies were among those who spent the most on notification of a breach, the report noted, including the creation of contact databases, determination of the regulatory requirements, the alerting of victims, and the engagement of consultants.
The industries that are the most susceptible to breaches and spend the most money fixing them are financial services and technology.
In 2005, the U.S. Justice Department released its first report on cyber-crime attacks against businesses. At that time, of 7,818 businesses surveyed, 67% said they’d experienced at least one cybercrime incident per year. This number has since skyrocketed, with businesses reporting an average of two cyber attacks per year.
In 2010, the Obama administration began a review of the federal cyber-security policies, the Wired article notes. A subsequent report stated that the problem of cybercrime is not going to be solved by technology alone, but by educated users who employ sound practices.
Recent cyber attacks have led to proposed legislation, including The Personal Data Protection and Breach Accountability Act of 2014, introduced by Senator Richard Blumenthal. While this bill was ultimately not enacted, public demand for increased criminal liability for cybercriminals as well as those who fail to report breaches makes it likely that similar legislation will continue to come before Congress. Proposed laws have even included provisions allowing individuals to sue companies after their personal information is compromised.
The Role of Big Data in Cyber Security
In a number of industries, the use of big data is helping in the arena of cybersecurity. For example, as reported by RigZone, the oil and gas industries—hoping to gain greater efficiencies through automation and wireless operations—are facing more and more ways that their information and that of their customers can be compromised. Those companies are finding that protecting information on the cloud is a different problem entirely from protecting a physical building.
The savvy use of big data, however, will soon enable these companies to find and fix their vulnerabilities before hackers do. And what about the differences between protecting a physical building and protecting personal information on the cloud? Addressing those differences at the same time isn’t just a matter of convenience. In an industry threatened on several levels, and by many forces, it’s a necessity.
The big push, then, becomes how to analyze the data. And that relies on having people who are trained to do so, something that this industry and others are hard-pressed to find outside of Silicon Valley and New York City.
Protecting Your Customers’ Information
Education is one of the most important ways that businesses can protect the personal information of their customers. We’re not talking about the Silicon Valley type of education, but about a set of policies governing access to secure files, use of the internet, BYOD, and other employment practices. Companies should also have a disaster recovery plan that governs the response to a number of incidents that businesses face, including data security breaches.
Managed IT services can provide you with expert-level protection and monitoring against cyber attacks and can arm you with best-in-class protection tools, including anti-virus software and anti-malware.
For more information about data security, contact us.