If 2016 was the year of the breach, what will 2017 be?
In 2016, hackers stole 4 million records per day, and 35% of employees across the UK, France, Germany and Italy admit to have been involved in a security breach. How is 2017 shaping up so far?
The results are in - during 2016, an epic 1,792 data breaches resulted in nearly 1.4bn data records being compromised globally, a rise of 86 per cent over 2015. This breaks down to 3,776,738 records lost or stolen every day, 2,623 per minute, or 44 every second.
Although the statistics show a huge year-on-year rise in the total number of records compromised, the number of reported breaches did not increase in step, up from 1,673 in 2015, a small rise of 7.1 per cent. This worrying trend indicates that attackers are becoming increasingly efficient at garnering large numbers of personal records in an individual hit.
Businesses have not been dealing with the situation well, according to the report by Gemalto, based on The Breach Level Index, as in 52 per cent of these cases the number of compromised records were not shared as part of the initial report. Interestingly, since the report was authored, the number of records lost per second has jumped to 53 - a 20 per cent jump for the first few months of 2017.
A recent UK ‘breach’ concerned the mobile operator Three, when some customers in March 2017 were logging into their accounts only to be presented with the names, addresses, phone numbers and call histories of strangers. Three said it was a technical issue with its systems, but customers were concerned. Ilia Kolochenko, CEO High Tech-Bridge commented on the incident: “It doesn’t look like an external hack, rather a technical glitch. However, this particular case is a great example of how our personal data is aggregated and processed in numerous different places. For consumers, it means that even if their laptop and mobile phone are will protected, they can still become victims of data theft. Cloud backups, remote storage and social platforms - are just a few examples of losing control over our information. Governmental regulations, such as GDPR, will hopefully help clean up the mess.”
However, CISOs face a significant challenge in complying with GDPR, particularly on the subject of breach notifications, which will be required within 72 hours to avoid maximum penalties of up to 4% of worldwide annual turnover for the most serious failings. As ever, though, it may at heart be a people problem.
A separate report, from Forcepoint, found that 35 per cent of employees across the UK, France, Germany and Italy admit to have been involved in a security breach, and indeed just under a third (29 per cent) of survey respondents have purposefully sent unauthorised information to a third party, while 15 per cent of European staff have taken business critical information with them from one job to another - 59 per cent even planned to use it in their next job.
Although 14 per cent of employees would jeopardise their job by selling work log-ins to an outsider, and 40 per cent of those would do so for less than £200 – 55 per cent of surveyed employees in the UK would part with credentials for that amount, general IT security awareness among employees was also lacking. Nearly a quarter (22 per cent) either do not believe data breaches incur a cost to their employers, or are unsure; with France and the UK representing the nations with the lowest levels of awareness of these costs and consequences.
Possibly these stats are down to a regular failing - that of education. A sizeable 39 per cent of European employees report to have received no data protection training and over a quarter (27 per cent) of organisations either lack security policies to prevent data loss or fail to enforce them.
One thing is clear - the volume of breaches may stay static, but the number of records compromised is going to increase through 2017 and beyond. Is your business doing enough to slow that rise?