Think breaches are passé? Then here's some sobering news, since 2013, more than 3.6 billion data records have been exposed, according to Gemalto, which has been benchmarking publicly disclosed data breaches since then for its annual Breach Level Index.
This year's index found that malicious outsiders accounted for 58 percent, or 964, of the 1,673 breaches counted and 38 percent of the 707 million records exposed during 2015. As in 2014, the primary type of breach was identity theft, accounting for 53 percent of breaches and 40 percent of compromised records.
Jason Hart, vice president and chief technology officer (CTO) for data protection at Gemalto, told SCMagazine.com that surprising among the findings was “the shift in attack data type” from credit card and payment data to personal information and identity theft.
Stolen credit card data “can be resolved pretty quickly,” said Hart, while other forms of identity “are a lot harder for individuals and organizations” to remedy. “It leads to a long series of attacks.”
Attackers are increasingly aiming their attacks at distributed environments like healthcare (19 percent) and government (43 percent), which have “high inputs and outputs,” Hart said. “They have more ways to get in. It's a huge attack vector.”
And down the road, that identity theft can be used to compromise data integrity, which could cause organizations—and society—a world of hurt. “I could just log in and log out of systems and alter the integrity of data,” said Hart.
Accidental loss or exposure of data records continued to be a problem in 2015, serving as the source for 36 percent of records. And state-sponsored attacks, which drew a lot of attention and analysis last year, were behind only two percent of the breaches and exposed 15 percent of the records. Breaches caused by malicious insiders were 14 percent of the total and compromised seven percent of the records that were exposed.
Not surprisingly, the lion's share (77 percent) of the breaches in the index occurred in North America and 50 percent of the records compromised were in the U.S. Only 12 percent of breaches occurred in Europe while the Asia Pacific came in third, accounting for eight percent of breaches.
Missing basic hygiene, bypass basic best security practices. “We're finding that the basics of information security, the core principles, are not adhered to,” Hart said, suggesting that two-factor authentication, for example, should be mandatory to protect the confidentiality of data while encryption could safeguard its integrity.
To counter breaches, Hart suggested that it is time for organizations to move away from breach prevention and toward what he called “breach acceptance,” which would help them better manage incidents.
“You're never going to prevent breaches,” he said. “But if you get people to accept that, then they can sit back, and determine what data would cause their business the biggest pain,” then take steps to ensure its confidentiality, integrity, accountability and auditability.
But first, he said, businesses need to understand what data they have, where it's located and the processes it's subjected to before they can apply the proper controls.