When it comes to data security breaches, 2016 was yet another year that many governance, risk and compliance (GRC) executives will not remember fondly. The year saw almost 1.4 billion data records lost or stolen, up 86 percent from 2015, according to a comprehensive analysis of security breaches conducted by Gemalto through data collected in its Breach Level Index (BLI). Every year seems to have its own unique trends when it comes to data security breaches, and 2016 was no exception. Here are the key takeaways for the GRC community:
According to the BLI, malicious outsiders such as hackers and cyber criminals were by far the leading source of data breaches in 2016. Once again, identity theft was the most common type of breach. Of the industry sectors, health care was easily the hardest hit with breaches. And in terms of geography, the United States and North America had by far the largest numbers of disclosed breaches during the year.
Given that in some cases the number of lost and stolen records involved in a breach are not disclosed, the actual total might even be a lot higher. In other instances, like with Yahoo!, it can take years for companies to identify or disclose a breach. But the numbers that are available on breaches and records stolen in 2016 are eye-opening, once again showing that cybersecurity efforts are not preventing these attacks from being successful.
Consider that 936 out of the 1,792 breaches involved an unknown number of data records, because the information was not publicly available in the breach disclosure. This is noteworthy, as it represents the difficulty of knowing exactly how many people’s records have been affected. Breach disclosure laws only require certain things, such as informing people if they have been affected.
Also consider, out of all the data breaches, only 4.2 percent were “secure breaches” where encryption rendered the stolen data useless. In some of these instances, the password was encrypted, but other information was left unencrypted, indicating there is still more education needed to teach organizations how they can better protect themselves.
The 2016 data breach landscape highlights a number of major cybercrime trends. Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high-value targets, as well as shifting from attacks targeted at financial organizations to infiltrating large databases belonging to entertainment and social media sites. AdultFriendFinder, Fling, DailyMotion and 17 Media were all large database attacks that made the shortlist of top-scoring breaches in 2016. There was a major increase in breaches of these sites, involving ransom requests and threats of leaking private information about their users. By going after this personal data, cyber criminals can extort victims and/or organizations into paying fees in order to avoid having sensitive information made public. This is a new way for fraudsters to maximize their return on investment and create new revenue streams. The personal information in these databases can also serve as a gateway for further attacks. For example, hackers recently stole millions of dollars in Bitcoin starting with just phone numbers.
While significant distributed denial of service (DDoS) attacks garnered a lot of attention on the corporate security front in 2016, a number of companies, including health care providers, utilities and others were willing to pay ransoms to avoid losing data or having systems shut down, showing that ransomware attacks are also having an impact on businesses.
Knowing exactly where their data resides and who has access to it will help enterprises outline security strategies based on data categories that make the most sense for their organizations. Encryption and authentication are no longer “best practices,” but necessities. Security executives along with their counterparts in IT, GRC and business need to be at the forefront of developing effective programs that level security at multiple levels — particularly the protection of the data itself. By doing this, they can help their organizations protect themselves and their customers. This is especially true, given that new and updated government mandates like the upcoming General Data Protection Regulation (GDPR) in Europe, U.S state-based and APAC country-based breach disclosure laws are all aimed at increasing transparency around data breaches and protecting people’s right to privacy. For many countries, this is the tip of the iceberg, with the U.S. currently making up the majority of all disclosed breaches. As these regulations go into effect, you can expect to see a significant jump in the number of publicly disclosed data breaches and compromised records.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jason Hart is CTO for Data Protection at Gemalto. As a former ethical hacker with decades of experience in the information security industry, Hart has used his knowledge and expertise to create technologies that ensure organizations stay one step ahead of the risks presented by ongoing advances of cyber threats. He is currently responsible for developing Gemalto’s encryption and crypto management offerings.
Hart has published numerous articles and white papers, and he often appears as an expert adviser on cybersecurity issues on national TV – on BBC, CNN and CNBC, among other major news networks – and on radio and in print media. In addition, he regularly provides advice on information security matters to governments, law enforcement agencies and military organizations, and he is vice chairman of E-Crime Wales.