A review of Gemalto’s 2016 Breach Level Index report

In a world dominated by big data, the risks associated with data breaches have been escalating. The exponential growth of data shows no sign of slowing and, as we enter the era of the Internet of Things, the number of connected devices is predicted to reach 200 billion by 2020 – that’s an average of 26 devices for each person on the planet.

Cyber-crime has rapidly become one of the leading challenges facing commercial and government organisations alike. In a digitally aware environment, you would think that data protection would be a priority. Sadly, the numbers tell a different story.

Cyber-crime has rapidly become one of the leading challenges facing commercial and government organisations alike. In a digitally aware environment, you would think that data protection would be a priority. Sadly, the numbers tell a different story.

A summary of the Breach Level Index report findings

Between 2013 and 2014, the number of lost or stolen records rose from 575 million to 1 billion. In 2015 the number fell to 707 million but, if you thought this was the beginning of a ‘tightening of the defences’, you’d be sorely mistaken. In its 2016 Breach Level Index report, Gemalto revealed that last year saw an 86% increase to 1.37 billion.

Since 2013, the Breach Level Index has recorded over 7 billion lost or stolen records. That’s an average of 4.5 million every day. Whilst the total number of breach incidents increased by just 7% year on year, the average number of records per breach rose by 82% to 769,257.

The threat landscape has changed significantly in the space of year; with ‘malicious outsiders’ responsible for more than two thirds (68%) of all incidents and accounting for more than three quarters (76%) of the total number of records involved.

The reasons why? Primarily for identity theft or financial gain. However, there was a rise in ‘account access’ breaches at some major websites – including media streaming services Daily Motion and 17 Media. Somewhat more embarrassing for some, were the high-profile breaches at fling.com and Adult Friend Finder.

There seems to be a general lack of ‘data vigilance’ amongst major organisations. This is surprising, given our understanding of big data and the value we place on it. Senior IT executives and other board-level stakeholders should adopt a security first approach to data.

The more security aware organisations take note of breaches and constantly review their own strategies to assess the risk profile and ask the question “Could this happen to us?” Beyond this, they mandate the inclusion of data security in all business plans, from all business units, to ensure everyone is aware of their data protection responsibilities.

The 2016 Breach Level Index report reveals that healthcare, government, financial services, technology and retail continue to be the prime targets for cyber criminals. The number of healthcare breaches was up 10.8% on the previous year – accounting for more than a quarter of all breaches. However, the numbers are a little fuzzy as many of the breaches did not reveal the volume of records lost.

The financial services sector is an interesting case. Although the number of breaches fell by 22.5% on the previous year, the number of records lost or stolen saw a massive 1,000% increase – up from 1.1million in 2015 to 13.3million in 2016. This demonstrates a worrying trend as cyber criminals aim for larger data hauls.

Changing the data protection dynamic

What we find most worrying is the apparent lack of incentive to change the data protection dynamic. In a world where we have become dependent upon an inherently insecure infrastructure to protect data in motion, not enough organisations are taking steps to reduce the value of the data being lost or stolen.

Last year just 75 of the 1,792 known breaches involved encrypted data; that’s a mere 4.2%. The perceived value of the data is what makes it most attractive to cyber-criminals, as they can use it to exert influence over individuals or organisations – or simply sell it on the black market. Encryption renders the data worthless.

There needs to be a fundamental shift in network data protection strategy. A move away from breach prevention (as they are inevitable) to securing the breach. Gemalto advocates a three-step approach – encrypt the data, secure the keys and control user access.

It sounds simple enough, so why are more organisations not doing it? Perhaps it’s because the costs associated with securing the breach have seemed too high, or the penalties associated with a successful breach too low.

In the past, this may have been true. However, the price of high-assurance encryption solutions has come down in recent years and there is no longer an argument that encryption at Layer 2 impacts on network performance or bandwidth availability.

Also, the introduction of new regulations like the GDPR in Europe sets a new standard for data protection legislation. Under the new rules, organisations that suffer a breach could face significant financial penalties – up to €20 million or 4% of annual revenue (whichever is higher).

The cost of a breach goes beyond immediate financial penalties to impact on new revenue opportunities, customer loyalty, compliance obligations and brand reputation. With the stakes this high, perhaps the 2017 Breach Level Index will have better news.

For more information on high-assurance encryption solutions, visit our product pages.

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone