Data breaches have become a major headache for large organizations. Customer data allows the wheels of commerce to keep turning – think airlines, hotels, insurance companies, online marketplaces, and the many other firms doing business in today’s digital world. But just as this data is prized by legitimate users, the personal identifiable information (PII) contained within the various information fields has value to bad actors, who are motivated to get their hands on it.
Companies are being squeezed from elsewhere, too. Governments have grown fed up with the leaky data practices of some organizations, and passed legislation designed to hold firms to account. And the worst offenders can now face fines. Regulations such as Europe’s GDPR data protection law have sent shockwaves through company boardrooms. But lessons are taking time to learn and data breaches haven’t gone away. And as long as criminals are able to profit from stealing company information, history is likely to keep repeating.
Building better defenses
Naturally, organizations don’t have to take this situation lying down. And leading firms recognize this. The answer is that consumer data must be better protected, and companies need to be more transparent about how this information is being used – a key requirement of California’s influential Consumer Privacy Act. For firms, this means knowing what data is being held and for what purpose – a useful auditing exercise that puts organizations on the first step to building better defenses against attacks on their information assets.
Studies such as Forgerock’s Consumer Identity Breach Report point to the scale of the issue. According to the research, a whopping two billion records containing usernames and passwords were compromised in 2021 – an increase of 35% over 2020. Partly, this jump could be down to careless behavior, but also keep in mind the massive shift to online patterns of doing business and how this has ramped up data volumes. Systems may turn out to be no leakier than before, but with more information being held, any spills will be larger.
With stolen credentials at their fingertips, bad actors can return to the digital crime scene and scrape the information barrel bare. The most recent figures from Forgerock’s analysis place the percentage of breaches due to unauthorized access at 50%. In 2018, it was 34%, and it has increased by around 5% annually. The scale of the information loss is hurting US firms to the tune of an average cost of $9.5 million per breach, which remains the highest in the world.
Healthcare on alert
Playing into these numbers could be the value to criminals of healthcare data, which – as well as containing a huge amount of identity knowledge, including social security numbers – also tends to include billing details, adding to the headache for victims. The healthcare segment has become a lucrative target for cybercriminals, which should be a wake-up call for any tech firms operating in this market. In terms of knowing where to prioritize their resources, chief security officers would be wise to keep their defenses high against ransomware attacks, which were responsible for around 70% of breaches in healthcare, based on analyst estimates.
In retail, on the other hand, third-party attacks represent the biggest problem. Extended supply chains mean that information systems have to talk to multiple clients, which can increase the attack surface. Also, poor systems implementation remains a threat.
The Forgerock research signposts a massive data leak in German online shops that was traced to a marketplace for a number of leading retailers. Here, users found that they could access all orders, including competitor details, rather than just their own. Other trends spotted in Germany – Europe’s manufacturing powerhouse – included a tendency for attackers to go after large firms – a scenario dubbed ‘Big game hunting.’
As hacking groups drill down on financially strong targets, companies need to be prepared and have a playbook ready should a data breach take place. Passwords need to be able to be rapidly reset to limit the damage and convince customers that they are in safe hands. Firms that react responsibly will limit the exodus of clients that typically follows when breaches are made public – a cost that can represent almost two-fifths of the financial damage incurred.
Security game plan
Keeping lines of communication open and being honest with partners is essential. If PII has ended up in the hands of bad actors, adversaries may use the knowledge to mount social engineering campaigns, and clients will appreciate a security heads up so that customers can be on the alert. Resetting passwords is great, but not if thieves are able to scoop up the new ones by sending authentic-sounding messages.
Strategies such as ‘zero trust,’ where information access is evaluated on a dynamic basis (using multiple signals over time), can substantially weaken an attacker’s ability to infiltrate company networks, and stop, or at least slow down, their ability to move laterally – by revoking permissions. Feeding into this security game plan are other identity and access management essentials, including multi-factor authentication and artificial intelligence-powered features.
And, to sprinkle some more good news, organizations appear to be increasingly willing to invest in bolstering their security. Updated in July 2022, a cybersecurity breaches survey published by the UK government found that “82% of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority.” What’s more, this finding is an uplift on last year’s figure (77%). Also, half of the firms questioned in the latest survey said that their executive teams were updated on cyber security matters at least every three months, which may signal a shift towards a more dynamic security posture by companies holding customer data.