Data breaches are commonplace and inevitable. And with the average cost of a data breach now calculated as $217 per lost or stolen record, the need to protect data has never been stronger. This much we know.
But what can we learn from the many data breaches that have already occurred?
Privacy Rights Clearinghouse (PRC) – a nonprofit corporation that seeks “to engage, educate and empower individuals to protect their privacy” – has been maintaining records of publicly disclosed data breaches that have occurred in the United States since 2005.
With over a decade’s worth of data breach records now online, it is possible to use this information to determine trends that can help organizations protect their critical information in the future.
TrendMicro has undertaken this task in the papers Follow the Data: Dissecting Data Breaches and Debunking Myths and Follow the Data: Analyzing Breaches by Industry. As the introduction to the former states:
“A lot has been said about breaches – their impact on victims, their cost, and whatnot – but not much focus is ever placed on the data stolen, where it goes, what other information can be pulled from it, and how attackers can further use it. This paper aims to cover that.”
The papers contain a wealth of useful and interesting data, but if you don’t have the time to read them in full, here’s a summary of some of the most salient points.
What is a data breach?
First, a definition: ISO 27040 (part of the ISO 27000 series of information security management standards) defines a data breach as “compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed”.
Data breach methods
Across all industries, data breaches over the last ten years had the following causes:
- Hacking or malware (25%)
- Portable device loss (24%)
- Unintended disclosure (17.4%)
- Insider leak (12%)
- Physical loss (11.6%)
- Stationary device loss (5.4%)
- Payment card fraud (1.4%)
- Unknown (3.2%)
Cumulatively, then, device loss accounted for 41% of data breaches in the last decade, compared with 25% caused by hacking or malware.
Organizations can often overlook the amount of sensitive data held on portable devices. Learn more about mobile device security here >>
Data breaches by industry
Industries affected by data breaches:
- Health care (26.9%)
- Education (16.8%)
- Government (15.9%)
- Retail (12.5%)
- Financial (9.2%)
- Service (3.5%)
- Banking (2.8%)
- Technology (2.6%)
- Insurance (1.6%)
- Media (1.4%)
- Others (6.8%)
The health care industry remains a major target, as recent data breaches demonstrate. Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities. Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.
How can you protect your organization’s data against attack?
ISO 27001 sets out the requirements of an auditable information security management system (ISMS), a risk-based approach to information security management designed for continual improvement. Registration to the standard proves to customers, stakeholders, and staff that international best practice is being followed.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks (including HIPAA) by achieving ISO 27001 registration.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.