Sep 23 2015

Corporate Data Falls Victim to Hacking, Insider Leaks and Negligence

Ten years of data show that malicious and non-malicious actors drive data breaches within retail, financial services and healthcare.

Despite a drop in reported incidents in 2014, the U.S. private sector remains plagued by data breaches.

“As the Internet expands and new applications are introduced, businesses are steadily growing their online presence, leading to an increase in hacking or malware attacks against them,” states a new report from Trend Micro.

Follow the Data: Analyzing Breaches by Industry” draws from Privacy Rights Clearinghouse (PRC) data collected between 2005 and 2015. It reveals a jump in cyberattacks that began in 2010 and continued through 2014, when organizations may either have heightened cybersecurity or stopped reporting certain incidents.

The Trend Micro analysis indicates that 81.3 percent of all disclosed incidents took place in one of five sectors: retail, financial services, healthcare, education and government.

Within the healthcare and finance industries, personally identifiable information (PII) and health or financial data appeared particularly vulnerable to the loss or theft of notebooks, office computers and other portable devices.

While retail also struggled to maintain the security of names, addresses, Social Security numbers, birth dates and other PII, that sector attributed the majority of its breaches (47.6 percent) to hacking or malware.

Portable device loss and malicious software were not the only threats, however. According to a second Trend Micro report, “Follow the Data: Dissecting Data Breaches and Debunking Myths,” organizations featured in the 2005–2015 PRC database also experienced data loss due to unintended disclosure or insider leaks. Those causes represented 17.4 percent and 12 percent of breaches, respectively.

Whatever their source, breaches represent a huge expense for U.S. corporations. The Ponemon Institute’s “2015 Cost of Data Breach Study: United States” finds that data breaches cost companies an average of $217 per compromised record. That figure dropped to $198 if the breach resulted from human error but rose to $230 if it stemmed from a malicious or criminal attack. In 2015, losses added up to a total average organizational cost of $6.53 million.

To help companies get ahead of costly data breaches, the Council on CyberSecurity recommends staying up-to-date on a list of Critical Security Controls, which includes the following best practices:

  1. Actively manage an inventory of authorized and unauthorized hardware and software
  2. Establish, implement and actively manage secure configurations of hardware and software
  3. Continuously assess for and remediate vulnerabilities

“Follow the Data: Dissecting Data Breaches and Debunking Myths” offers one last suggestion for enterprises at large:

It is crucial to build public awareness of the risks and repercussions of sensitive data getting compromised. Heightened awareness will lead to increased caution and the pressure will mount on federal governments and businesses or organizations to come up with effective and permanent solutions.

Matej Moderc/ThinkStock