Are Data Breaches Increasing?
It seems like every other day, news breaks about another data breach at a major organization. There’s a good reason for that — the frequency and severity of data breaches are increasing at an alarming rate. It’s not only big companies that experience cybersecurity incidents though. Small- and medium-sized businesses are targeted too. Although much of the news coverage focuses on larger companies, 60 percent of targeted attacks impact small-to-medium-sized organizations.
According to a study conducted by the Ponemon Institute and sponsored by IBM, the global average for breached records in 2018 was 24,615 per country, while 31,465 records were breached in the United States during the 12 months of the study review. The study also found that the average size of a data breach rose by 2.2 percent in 2018.
Over the past two years, the number of data incidents reported to the Information Commissioner’s Office (ICO), the UK’s data security authority, increased by 75 percent. In the United States in 2017, the number of significant breaches totaled more than 1,300 compared to less than 200 in 2005.
Clearly, data breaches are increasing. Let’s take a look at their impacts, why they’re occurring and what we can do to prevent them.
The Background of Data Breaches
Data breaches can have severe and long-lasting impacts on the companies that experience them. They can cause significant direct financial impacts and can also cause damage to a company’s reputation.
1. Direct Financial Impacts
According to the Ponemon and IBM study, a typical business data breach costs the affected company $3.6 million, a 6.4 percent increase from 2017’s $3.62 million. The cost of each stolen or lost record which contains sensitive, confidential information averaged out to $148 in 2018, a 4.8 increase over the previous year’s average.
The cost of a breach varies from region to region. In the United States, breaches tend to be the most costly. They cost an average of $7.91 million, and providing notification of a breach costs about $740,000.
2. Lost Business
Data breaches also impact companies through lost business. Any time a data security incident occurs, some customers are likely to take their business elsewhere. Companies in the U.S. lose about $4.2 million worth of business after a breach. This number is higher in the U.S. than it is for other countries, perhaps because American consumers have so many other options and acquiring new customers tends to costs more in the U.S.
3. Stock Decline and Market Value
Businesses that experience a breach also tend to see decreases in their market value. The companies studied for the Ponemon and Centrify report saw their stock price decline by an average of five percent immediately after they disclosed the breach. Over the long term, companies may see their market value fall by as much as three percent due to a data security incidents, according to researchers from the University of North Carolina at Chapel Hill’s Kenan-Flagler Business School.
4. Reputational Damage
The impacts that data breaches have on a company’s reputation are harder to quantify, but the financial impacts suggest that they can be severe. Many marketing officers and IT professionals feel that loss in brand value is the most significant cost of a security incident. Both groups also believe that data security incidents pose a major threat to the company’s reputation and brand value.
Why Are Data Breaches Happening?
Why are there so many data breaches occuring? As we use more technology and put more of our information online, there are many potential vulnerabilities. This means that companies have to invest increasing amounts of resources into protecting their data.
Data breaches can either be accidental and caused by human error or the result of a deliberate attack. In non-deliberate incidents, someone may accidentally lose or damage data or leave it unprotected and publicly accessible.
According to a report conducted by corporate investigations and risk consulting firm Kroll, 2,000 of the incidents reported to the ICO last year were caused by human error, while 292 were the result of a deliberate attack. The Ponemon-IBM study, however, found that malicious or criminal acts caused 48 percent of all breaches.
There are numerous ways that someone could accidentally cause a data breach. Of the 2,000 incidents cited in the Kroll study, 447 occurred because of an email that someone sent to the wrong recipients. More than 400 were the result of faxing or mailing a document to the wrong recipient.
Nearly 438 happened because of lost or stolen paperwork, so some of these incidents were accidental and some may have been deliberate. Someone could also cause data security incidents if they lose or steal a device that has sensitive unencrypted data on it.
Someone who accidentally causes a data breach may be more likely to cause another one in the future. An analysis of the 142 healthcare data breaches that occurred from April through June 2018 revealed that 30 percent were caused by someone who had also caused a previous incident. This shows how vital proper training and reporting for people who handle sensitive data.
1. Deliberate Cyber Attacks
Some data breaches are caused deliberately through stealing physical documents or through cyber-related means. These cyber attacks may be sophisticated, especially if they impact large organizations. Often, though, they are relatively simple and take advantage of existing system vulnerabilities.
2. Stealing Passwords
One of the most common ways that hackers get into business’ networks is by stealing password or account information or tricking users into giving them this information using tactics such as phishing emails, malware and social engineering. In 2016, these types of attack caused over 50 percent of data breaches. Although these attacks start with the account information of just one user, once the attacker is in the system, they may start using other methods to do more damage and steal more information.
3. Weak Access Control
Hackers might also steal data by exploiting vulnerabilities related to where data is stored or how it’s transferred. As more employees bring their own devices to work and use them to access company data, this risk increases if staff doesn’t take extra security precautions when using them. A hacker may also conduct a man-in-the-middle attack on Wi-Fi networks without security measures WPA and WPA2 in place.
4. Technical and Architectural Vulnerabilities
Hackers can also exploit technical and architectural weaknesses in an employee’s network. Some of these attacks, such as zero-day attacks, are quite sophisticated. Others might take advantage of relatively simple flaws such as the cybersecurity team forgetting to install a certain security measure on one of the company’s servers. Once a hacker gets into one server, they may be able to access the others and cause extensive damage.
5. Third Parties
A company is only as secure as its weakest link, and this also applies to the third parties it works with. If a hacker finds a vulnerability in the system of one of your suppliers, partners or contractors, it may eventually enable them to access your information.
In 2013, for example, Target suffered a massive breach after an HVAC company contracting with Target was hit with a malware attack. That incident enabled hackers to access Target’s point-of-sale systems and steal the personal information of 70 million customers. This isn’t the only example. In Ponemon’s 2017 Data Risk in the Third-Party Ecosystem report, 56 percent of respondents reported that they had experienced a third-party breach, as compared to 49 percent the previous year.
The impacts of these attacks are worsened by the fact that it can be difficult to detect and contain them. In 2018, it took an average of 197 days to identify a breach and an average of 69 days to contain it.
6. Lack of Data Regulation and Protection
A lack of data regulations and protections may have worsened the problem in recent years. Because of a lack of reporting requirements, breaches may also have been underreported, meaning that there were actually more breaches than it seemed. Now, though, federal and state governments are introducing more stringent and comprehensive regulations.
The most comprehensive piece of data protection is the General Data Protection Regulation (GDPR) from the European Union. The regulation went into force in May 2018. The main goal of the law is to give consumers more control over their data. It applies to companies in the EU as well as any companies that handle the personal information of EU citizens.
Under the GDPR, companies must obtain consent from individuals before they can collect or use their data. The request must be clear and easy to access, and consumers have the right to withdraw their consent. They also have the right to access their personal data, get information about how companies are using it and erase it. If a breach occurs, GDPR requires that companies notify the affected users within 72 hours of becoming aware of it.
Organizations that don’t comply with GDPR can be fined a maximum of €20 million, equal to about $22.7 million, or four percent of annual global turnover, whichever is greater.
It seems that the United States may soon adopt rules that are similar to GDPR. California signed into law last month the California Consumer Privacy Act (CCPA), a bill in the same vein as GDPR. Several other states have implemented new laws or updated existing laws as well. The federal government may even be considering more stringent data protection laws.
How Can I Protect My Company?
Because of the prevalence and severity of the cybersecurity threats that exist today, it’s crucial that businesses take steps to protect themselves from data breaches. The steps you can take include the following:
1. Define a Security Policy
Every business, from the smallest to the largest, should have a data security plan. In this plan, include how you will prevent data breaches from occurring and how you will respond if one does occur. Improving your security posture by creating a strategy will help you minimize your risk, recover more quickly if an incident occurs and will show customers and regulators that you take network security seriously.
2. Educate Employees
Providing training and education to employees who handle data is crucial to protecting your information. Make sure everyone understands your security policies and provide training on how to identify network security risks, how to manage data safely and what to do should they discover a security concern. Update your staff regularly on the latest cybersecurity developments.
3. Use the Right Security Technology
Using the right security technology can also play a significant role in protecting your company from security risks. Use firewalls, antivirus software and other tools. Make sure all software, not just security tools, are updated. Outdated software may be more vulnerable to attacks. To avoid letting software become outdated, consider changing your settings so that they update automatically.
4. Conduct Regular Testing
Conducting a network vulnerability assessment will help you to identify opportunities to improve your security. It’s vital that you regularly perform risk assessment tests, penetration tests and other assessments to help you find any new vulnerabilities that might arise.
5. Manage Access and Authentication
Have rules in place that require employees to use strong passwords and change them regularly. You may also want to use two-step authentication, which requires both a password and another form of identity verification such as a code sent to an employee’s phone or a fingerprint. It’s also crucial that you update passwords if you spot a security concern and disable the accounts of employees who leave your organization.
6. Hold Third Party Vendors to High Standards
It’s essential to manage the security of your own systems, but it’s crucial that you assure that any third-party vendors you work with also have appropriate security measures in place. Discuss your security requirements before you start working with another company so that you both know what’s expected.
7. Create BOYD Rules
If employees use their own devices at work, have rules in place that require them to use a password or PIN code. You can also use mobile device management services to ensure security while still allowing staff to use their devices.
8. Data Minimization
Another way to reduce risk is data minimization, reducing the amount of sensitive information you collect. To accomplish this, only collect what you need, store your data in fewer places, only give employees access to data when necessary, keep track of who has access to information and delete data when you no longer need it.
Protect Your Business With Consolidated Technologies, Inc.
A data breach can have severe consequences for small and medium-sized businesses. As the threat of these security incidents rises, it’s becoming increasingly critical that companies take steps to protect themselves.
Consolidated Technologies, Inc. can help your company improve its security posture. We can help you to develop a security strategy, asses your risks, deploy security technologies, ensure compliance with regulations and more. We even offer comprehensive managed security. We can help you to protect every aspect of your business from the perimeter to voice technology and traffic.
Keep your network safe with Consolidated Technologies, Inc. Contact us today to receive a free security consultation.