What do the US Navy and Three phone owners have in common?
Report from Internet Society says 93 per cent of data breaches are preventable, and although spend is rising, the number of breaches is rising too. They argue that a lack of trust will be the result of ignoring the problem, which will significantly damage online enterprise.
The seemingly endless list of major data breaches from household names - Three and the US navy being just the last week’s players - is gradually sapping trust in online commerce, according to a report by the Internet Society (ISOC), with researchers finding that 59 per cent of users admit they would not do business with a company which had suffered a data breach.
The breakdown of breaches by business sector makes interesting reading, with the retail sector representing 13 per cent of all breaches and six per cent of all records stolen, technology representing 6 per cent of breaches (and 12 per cent of records) while financial institutions represent 15 per cent of total breaches, but just 0.1 per cent of records stolen, indicating these businesses might have greater resilience and better technical barriers built in to protect their users.
Michael Kende, Economist and Internet Society Fellow who authored the 2016 Global Internet Report, said: “93 per cent of breaches are preventable. And steps to mitigate the cost of breaches that do occur are not taken – attackers cannot steal data that is not stored, and cannot use data that is encrypted. This status-quo isn’t good enough anymore. As more and more of our lives migrate online, the cost and risk of a data breach is greatly increased, and will lead to lost revenues and a lack of trust.”
By far the most common breach incident was an external attack, which covers issues ranging from zero-day exploits through to attacks via known vulnerabilities that have not been patched in a timely manner.
What is clear is that many attacks are successful - a recent security survey from Accenture found that in the past twelve months, roughly one in three targeted attacks resulted in an actual security breach, which equates to two to three effective attacks per month for the average company. Ilia Kolochenko, High-Tech Bridge CEO said: “This is just the tip of the iceberg. The most advanced intrusions are rarely detected, and many large companies are not even aware that they were breached. Professional Black Hats have absolutely no interest in their victim becoming aware of the breach, and do their best to stay invisible by thoroughly planning every operation and deploying various smoke-screens to distract attention of security teams.
Especially large companies have a major challenge when detecting intrusions, as cybercriminals usually target their branch offices, partners, suppliers or even shareholders that don’t have such a high level of defence, but have access to the same data. I think it wouldn’t be an exaggeration to say that over 90% of well-prepared targeted attacks, conducted by experienced hackers, are and will be successful.”
This success is pushing up costs - the ISOC report also found that the average cost per lost record is $158, up 15 per cent since 2013, while the average cost of a data breach is now $4 million, up 29 per cent since 2013. In 2015 alone there were a reported 1,673 breaches and 707 million exposed records, which led to a finding that 40 per cent of users would ‘never again’ do business with a company that had lost financial or sensitive information, while a further 25 per cent said it would be ‘very unlikely’ they’d do business again.
An interesting point made by the report is around the breakdown of bearer of costs for data breaches vs bearer of responsibility, using the example of the Target credit card breach in 2013, which saw the US chain expose 40 million customer debit and credit card accounts after a series of network intrusions. As the report points out, the true cost was partly borne by the financial institutions which replaced the cards (and then used lawsuits to recoup from Target), but the chain was in fact breached via a contractor, whose defences were weaker, but it may not have borne any of the direct cost of the breach.
ISOC has used their breach report to call for action on data breaches, demanding better transparency on breaches, wider adoption of best practice data security standards, better accountability and more incentives for secure institutions and enterprises. Will this be enough to lower the number of incidents in 2017? We will soon find out...