The daily data breach report seems like a weather report. It happens every day. Perhaps we should add it to the evening news as a standard feature – news, sports, weather, data breach. That’s why we now have a “Data Breach Industry.”
According to the Identity Theft Resource Center, so far in 2015 there have been 424 confirmed US data breaches impacting medical, government, education, business and financial entities. The records exposed – 129,648,467 – seems a big number, until you realize that about 90% of breaches list record quantities as “unknown”. In effect, “We know we’ve been hacked. We just don’t know what’s been taken.”
The fact that hackers are hard at work isn’t a revelation. From Citibank to Trump Hotels and the US Government Office of Personnel Management (OPM), we hear about the big ones. Many jeopardize our personal information and inconvenience us directly – the CVS photo site was down for days. But smaller enterprises are vulnerable as well, like Betterbee, a site for beekeepers, and Sweaty Bands a retailer of headbands. These aren’t the sorts of businesses you might expect to have sophisticated security. Of course there are some you might think would fare better, like EMC, the parent of a major security firm.
So it isn’t just that the hackers are at work. It’s that anyone and everyone is potentially at risk. So much so that we now have “The Data Breach Industry” report from Experian and Verizon with the annual “Data Breach Investigations Report.” (You can tell it’s established when it has an acronym – DBIR.) The Verizon report cites 80,000 security incidents in 61 countries leading to at least 2000 data breaches and 700 million compromised records. In dollar terms they estimate the costs at over $400 Million.
Verizon has been publishing their report annually since 2008 and this year’s security breach industry winners were the same as last year – public, technology/information and financial. The report is filled with interesting and truly scary data. For example, there’s a big gap between the time that a breach happens and the time it’s discovered – witness the OPM breach that reportedly continued for months. They also estimate that as much as 70% of attacks are aimed at a secondary victim. For example hacking a website in order to get hold of visitor’s information.
For Experian this is their second annual report and they list six data breach predictions for 2015.
- As more secure “Chip and Pin” credit card technology is mandated for October 2015, retailers can expect a surge in breaches looking to beat the tighter security.
- Increased use of cloud technologies will invite more hacks on individual passwords and will require better plans for universal resets.
- Healthcare, already a big target, will see increased hacking activity because the data has become so valuable on the black market. Security will need to be strengthened and federal regulations may well be in greater play.
- Responsibility for data breaches will shift from IT departments to business leaders who will be expected to have a plans that treat data security as a corporate priority.
- Employee mistakes continue to be one of the biggest threats. Training and retraining is a necessity.
- The Internet of things is rising as a new and little understood threat – but it’s likely to be big.
The Identity Theft Center has been publishing their report since 2005. It’s essentially a compilation of breaches, updated weekly, that profiles specifics on targets and impacted records. This is a non-profit group with a mission to help consumers, businesses and law enforcement address data breaches and data security. That includes working with those who are impacted to recover from the adverse impacts.
Taken together, the three reports outline a severely alarming trend that threatens every enterprise and every individual. It’s complex and growing. What’s impressive about the Verizon report is that while they’re the publisher, about 70 other companies involved in data security are supporting the effort. They’re the “good guys”, competitors sharing information and helping with ongoing collaborations. Perhaps that’s an indication of just how seriously the problems should now be viewed.
We’ll be talking about these issues more often in conversations with customers and prospects because we believe we have some powerful capabilities that help. Stay tuned – or just ask us.