With Labor Day over and summer now fading into memory, it’s the perfect time to take a fresh look at your data and information security, privacy and compliance postures. And to review fresh lessons from what 2016 has served up as to data breaches and incidents in the first six months.
Background
Earlier this year, annual 2016 Ponemon Cost of Data Breach Study highlighted that the cost of an average data breach has risen to $4 million from $3.8MM reflecting that the average cost increased to $158/per record from the previous year’s $154 per breached record.
By any measure the recognized “breach fatigue” of the public has not resulted in any concomitant decrease in regulatory, compliance, remediation or legal costs. This said, we recently received a copy of Risk Based Security’s mid-year Data-Breach Quick View Report (https://www.riskbasedsecurity.com/2016/08/data-breaches-lead-to-over-1-billion-records-exposed-in-the-first-half-of-2016/) which makes the startling claim that “while the number of data breaches for the year is down approximately 17% compared to the same time last year, the number of records compromised is off the charts, with over 1.1 billion … records exposed in the first six months of 2016. With another 6 months still to go, this year is already the worst year on record for the amount of sensitive information compromised.”
While the first half of 2015 saw more individual data incidents (2,221 versus 1,837 in first half of 2016), 2016’s breaches from Jan to July resulted in significantly more records exposed: 1.139 billion versus a “mere” 259 million in the six first months of 2015.
Trends and Takeaway Lessons
Perhaps the most damning findings of the mid-year Data-Breach Quick View Report are:
- First, attackers continue to have broad success using tried and true techniques – That the same techniques (and we’re not talking about zero-day attacks) pay off time and time again is a sad testament to human nature and inertia.
- Phishing and social engineering continue to work, and work well.
- Indeed, the situation with ransomware, in particular, has be become so serious that the FTC is holding a Ransomware Workshop tomorrow, Sept 7, 2016, that it will stream live – see https://www.ftc.gov/news-events/events-calendar/2016/09/fall-technology-series-ransomware
- Misconfigured databases continue to serve up large amounts of data – The majority of attacks (77.6%) so far in 2016 resulted from outside hacks that were successful due to databases with known or unpatched/uncorrected weaknesses.
- For example, a MacKeeper security researcher discovered a misconfigured MongoDB hosted on AWS servers located in the United States that contained personal information on 93.4 million Mexican voters. Breached.
- And these attacks, like lightning, hit the same target again and again. The Report notes 54 organizations in the first half of 2016 reported multiple incidents.
- Reusing log-in credentials across multiple sites can have cascading effects across many organizations – Passwords are a growing (and increasingly recognized) weakness.
- As the number of breaches grows, more and more password databases have been compromised, allowing criminals and hackers to tune their password cracking databases.
- The situation has led to the National Institute for Standards and Technology (NIST) to generate a draft of new guidelines for federal password polices, including a strong push to two-factor authentication – see Special Publication 800-63-3: Digital Authentication Guidelines at https://pages.nist.gov/800-63-3/ and a quick slide presentation by draft co-author, Jim Fenton, Toward Better Password Requirements at http://www.slideshare.net/jim_fenton/toward-better-password-requirements)
Conclusion The Report is a useful refresh to discuss with your own IT dept, to use as a check of your company’s contract templates and data protection “addendums” (like SmartedgeLaw’s state of the art exhibit) to ensure that obligations to be imposed on vendors include specific safeguards against the most common data breach incident vectors. Feel free to contact us to discuss the report at 203 307-2665 or email at info@smartedgedevsite.live-website.com if you have any questions about what the Report may mean in light of your own data security and privacy efforts.