10 Years of Data Breaches Mark Vulnerable Businesses
Looking back at cybercrime incidents of the past 10 years, only the questions of "if" and "when" remain. "If" a business has no active cybersecurity policy and processes even just hundreds of rich customer records, "when" becomes soon enough.
For the past 10 years, at least eight large-scale data breaches per year have trembled economies. You’d imagine that as business owners, we would have learned the immense value of the digital data we hold. The Ponemon Institute says that just in the U.S., the average size of a data breach is 25,575 records with a cost of $150 per record on average. That could be the money you would have paid in damages, as a government fine, and potentially in customer lawsuits. Here, they might lose their email and password info, but there, a container of digital biographies might vanish, with credit card details, passport scans and addresses. What’s ironic is that in my conversations with executives about cybersecurity implementation, scaring doesn’t work unless I factually prove their business can be at risk. Let's talk about yours.
In 2018, a study by Hiscox revealed that among 4,000 organizations from the U.S., U.K., Germany, Spain and the Netherlands, 73 percent are unprepared for a cyberattack. As you’ll see in a moment, our cybersecurity consciousness remains immature - just in 2019, even giants like Facebook, Capital One and Federal Emergency Management Agency got breached. For you to realize if your company is ready for a heist, I’d always recommend a security audit that goes beyond the digital aspect. But the first step is often a leap of faith - you realize that there might be a problem. Here’s something that will help.
The Most Vulnerable Markets Revealed
My team researched the biggest breaches registered between 2009-2019 to reveal which businesses are at the greatest risk. Although it is in the public’s interest to know about all, many breaches understandably remain underreported to prevent future crises. Analyzing 252 qualifiable incidents listed on Wikipedia, here’s what we found:
1. From 2009 to 2019, businesses lost a staggering number of over 7.7 billion data records.
That volume includes databases from big names such as First American, JP Morgan Chase, or Under Armor. Yahoo’s 2003 breach where over three billion records were stolen remains the biggest on the list. Other recognizable businesses that fell for cybercrime are Facebook, eBay, Marriott International, or Quora.
2. 65.07 percent of breaches occurred in the market of web services.
It might seem a conundrum. Why do web services specifically get targeted more than any other market? Haven’t we gotten so far in cybersecurity that the websites we use daily should be super-secure? No. Most times, they remain the weakest link for a business. Even two-factor authentication - the latest security measure you might recognize - can be spoofed. With our clients, we see that there’s no designated person to maintain the web service. Check-ups aren’t enough. In between such, crucial security updates can be skipped, making it easier to use brute-force (password-guessing) attacks undetected on the main page or one of the landing pages, which often are made with website builders that offer no protection.
Sure, digital threats don’t end there. We’ve noticed attacks where hackers pinged servers directly or intercepted payment terminal communications as it was with Supervalu in 2014. But because companies constantly change their website as it is often a product, there's a lot of risk that eventually, backdoors will be created - unless we store it in a cybersecurity container in its entirety.
3. 160 of breaches came from hacks, 29 resulted from poor security, and in 20 cases the data was lost or stolen.
Remember that cybersecurity is also a management issue that goes beyond technology. It is dangerous to expect that your assets are safe because developers of products like the Google Suite have the responsibility. One of the greatest security flaws is the mismanagement of security. Without the administrator's oversight, how certain are you that people outside of your organization don’t have access to your cloud files? That’s one reason for which in the last decade, there were 20 cases where the data disappeared without a trace. With the same unauthorized access slipping under the Board’s radar, some employees extracted intel - perhaps as a payback.
Digital Security is a Real Aspect of Your Business
If you couldn’t find your market in the list above, that doesn’t mean your assets are a safe secret. As mentioned, not all cybercrime becomes a breaking news story. Then, not everything gets hacked - but it could be. Watch what’s happening locally. In September 2019 in Poland - where I’m from - a popular e-commerce platform was fined 660,000 euros for a GDPR breach where allegedly, 2.2 million client records with emails and passwords were stolen in a text-message phishing operation. It wasn’t the number of records that mattered, but their potential value. Auction the catch in the deep web, get good cash and the identities sold are then used for fraud: loans; fake tax returns; blackmail; extortion. You probably know this - but the point is to understand how this can sneak up on you.
I’d like to suggest that you consider this one conclusion from our research. Hackers hunt for the biggest and richest datasets with the least security. Unless you already have a security officer that you actually listen to, get a full risk assessment from a prevention team. Let them work with your legal team to assess the financial value of your digital assets. As a reminder, here’s what you can implement even as a non-technical executive today:
- Have an active security policy that defines what data needs protection and who is responsible for its oversight in terms of access management, backups and periodical security and GDPR checks.
- Consider migrating your website onto a cybersecurity platform that provides real-time protection and automated threat mitigation for all of its elements.
- Work with a recommended security company to run penetration tests at least each 6 months.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.