A cursory look at some of the numbers on data breaches can be misleading. For instance, while there were just 400 reported cases of data breaches over the course of 2014, compared to 500 per year from 2010 through 2013, this is not indicative of a better cyber security environment. Experts believe that the trend is toward fewer worse incidents and more moderately severe data breaches. Furthermore, attacks are growing in terms of sophistication and funding, meaning many breaches are not even discovered, or are discovered only after the fact. Here are the realities regarding today’s data breaches.
Most Data Breaches Don’t Actually Happen Through Overt Outsider Attacks
If you think that hackers working from the outside are to blame for most attacks, you aren’t aware of the number of insider attacks, both intentional and accidental, that take place. Insider attacks can take one of three forms:
• An incidental leaking of data by a careless worker
• An incidental leaking of data by an untrained or ignorant worker
• An intentional attack by an angry or disgruntled worker
Most Data Breaches Aren’t Conducted Using Malware
Most security efforts are focused on malware detection. But the most data is actually leaked through lost or stolen devices, with lost devices sitting as the ruling class. Lost laptops, mobile devices, and thumb drives leak more sensitive data than overt data breaches using malware do. This means that stronger mobile use policies and better technologies for wiping data from lost devices are perhaps a better plan than investing more in malware detection. Solid policies for reporting lost devices, as well as smart disposal of hardware, are essential.
Most Data Breaches Aren’t Levied Against Retailers
Retailers like Target, Michaels, and Neiman Marcus make the most headlines, but healthcare is the number one focus of most attacks these days. Healthcare is followed by education, government, retail, finance, the service industry, banking, technology, and insurance — in that order.
Most Data Breaches Aren’t Announced
In some cases, notifying the public and/or affected consumers is mandated by law. But many cases involve breaches that aren’t demanded by the government. In those cases, it’s up to the discretion of the company whether to announce the breach, and many do not. Some companies either ignore the incident or issue a generalized warning to their customers, such as a generic email recommending recommended password changes or perhaps a regular review of their credit reports to discover any potential leaks.
Most Data Breaches Aren’t Just After Personally Identifiable Information
Headlines would also lead us to believe that most hackers are after Personally Identifiable Information (PII) on consumers. The reality is, due to all of the massive data breaches (both announced an unannounced), the market for this kind of info is actually quite flooded. The price on the black market for these records has fallen from an average of $4 per record to just $1. Incidentally, the black market for payment card information (credit, debit, etc.) is also flooded. Uber accounts, however, are in hot demand. Today’s data breaches most often target financial information, health identities, login credentials (so that hackers can break into targets with higher payouts), and educational identities.
Many companies are opting to shift the responsibility for their data out of their own hands into the more capable hands of a cloud service. Cloud service providers usually have more training and better means for securing sensitive and valuable business data than most companies do. To find out about the security you can get from the Full Metal Cloud, see our products.