For the past few years, data breaches have been increasing massively—rising in both frequency and scope. 2011 used to be known as the “Year of the Data Breach”. Then came 2013 when data breaches overshadowed those of previous years so much that Symantec took to calling it the “Year of the Mega Data Breach”. Last year, in 2014, we saw many large scale breaches hit big companies around the world. The impact was global and devastating to many. As a result of the recurring breaches, including one high-profile case involving Sony, President Obama proposed a broad-ranged cybersecurity protection plan for the US that would see businesses and government sharing threat data and working together in order to prevent malicious attacks and prosecute those behind them. The data collected through such attacks ranges from personal communication to customer records and intellectual property. Every breach is damaging to users, clients, infrastructure and overall brand identity. Some of the more prominent breaches can be named:
Sony was hit with a major attack that had the whole company on their knees for several days until they could find and plug the hole. The breach allegedly came after Sony announced the launch of the movie “The Interview” about North Korea and its leader, but more likely evidence points to the attack coming from an internal source: disgruntled, code-savvy employees known as “hacktivists”. Wired has a good article with more details about it under the headline, “Sony Got Hacked Hard: What We Know and Don’t Know So Far“.
This year, AT&T had a breach where data from about 280.000 customers was stolen from their call centers and sold to third-parties. These breaches were caused by internal workers who stole names, Social Security numbers, and other information. AT&T had to pay a record-breaking $25 million fine to settle a complaint filed by the Federal Communications Commission (FCC). More information can be found in The New York Times article, “F.C.C. Fines AT&T $25 Million for Privacy Breach“.
Besides those, JPMorgan Chase, PF Chang, Snapchat and many others have experienced large security breaches within the last year that hurt people face-on.
What does this mean?
Security breaches won’t be stopping anytime soon. At the end of April 2015, a little over 270 breaches resulting in more than 100 million total records being exposed have already been found in the US alone. The full report and current numbers for breaches in the US can be found in the 2015 ITRC Data Breach Reports.
At the 2015 RSA conference in San Francisco, RSA president Amit Yoran held an exhilarating keynote entitled “Escaping Security’s Dark Ages” where he stated:
“You don’t have to be much of a visionary to see that 2015 will become the ‘Year of the Super Mega Breach’. 2014 was yet another reminder that we are losing this contest.”
You can watch the full keynote below.
After hearing this statement, you might want to ask yourself:
Why do these data breaches happen?
Over the past year, 25% of data breaches involved system glitches that include both IT and business process failures, 44% of incidents involved a malicious or criminal attack and 31% concerned negligent employees. SOURCE: ABSTRACTA
Will it happen to me?
There is a 19% probability of data breach over the next two years if your company is dealing with a minimum of 10,000 records. But it has to be mentioned that some industries are more exposed than others. The highest risk is found in the public sector, where the probability of incurring a data breach is 23,8%, while the Energy and Utilities sector still has a risk as high as 7,5%. SOURCE: ABSTRACTA
How much could a data breach cost?
According to InformationWeek, it takes a large organization on average 31 days at a cost of $20,000 per day to clean up and remediate after a cyberattack, a number that has increased by 23% year-over-year. SOURCE: DARKREADING
The Ponemon Institute, an international research institute that measures trust in privacy and security, released a report in May 2014 sponsored by IBM called the “2014 Cost of Data Breach Study“. In their findings they revealed some common global trends:
The cost of a data breach is on the rise. Most countries saw an uptick in both the cost per stolen or lost record and the average total cost of a breach.
Fewer customers remain loyal after a breach, particularly in the financial services industry.
For many countries, malicious or criminal attacks have taken the top spot as the root cause of data breaches experienced by participating companies.
For the first time, research reveals that having business continuity management involved in the remediation of a breach can help reduce the cost.
An overview of the report can be found here.
However, the per record data breach cost within heavily regulated industries is substantially higher in most cases. This can include industries such as healthcare, transportation, education, energy, financial services, communications, pharmaceuticals and industrial companies.
What is a starting point to safeguard myself?
Performance-testing your security measures is a good starting point. Once you know where you stand, ask yourself these questions:
– Does my company have any difficulty maintaining compliance due to human error injected into access controls, users with too much access, or orphaned accounts? What regulations does my company have to follow? SOX? ISO 27001? Any others? Is my company able to match those requirements in a timely and cost-effective manner?
– Do information owners in my company always provide the correct level of access to resources for both internal and external users? How is the security managed and by whom? Am I in control of my users, their access rights, possible SoDs and such? Can I control and properly safeguard privileged accounts?
For evaluating your User and Access Management situation, go through the IAM Checklist for a more complete list of concerns.