It seems like we’re talking about a new data breach every other day. From the InterContinental Hotels Group to OneLogin, companies across every industry have been targeted so far in 2017, and we can only expect both the size of, and damaged caused by, these events to grow. The question that organization leadership needs to be asking itself in the face of these threats is, “how at risk are we?”
Performing a Data Breach Risk Assessment
Last year there were more records exposed through reported data breaches than ever before, despite an actually smaller number of incidents than in the previous year. What’s more important, however, is what industries were targeted, how they were compromised, and what information was stolen. These are the factors that will make up an organization’s data breach risk assessment.
One of the most important factors in data breach risk is the company’s industry. While incidents may have fallen between 2015 and 2016 some industries saw an increase in incidents, such as the entertainment sector, information services, and healthcare, while some remained much the same. Only industries that are classic targets for data theft: Financial services and organizations in the public sector, saw a sharp decline in incidents.
This shift could be attributed in part to increased awareness of breach risk in these later industries, but many would argue that it’s also due to a change in attack strategies. Healthcare information has become a prime target over financial records because it contains more sensitive data, for instance. Firms in higher risk industries should consider what type of data they are collecting as a major influencer of their risk assessment.
What information cybercriminals are targeting will determine the next level of risk assessment. Thieves are no longer just after bank account numbers, although financial motivation is still behind 73 percent of breaches. In many respects, simply doing damage to critical infrastructure is becoming a more common theme, as is theft of intellectual property. Another major data type being targeted is personally identifying information – key data used for identity theft. And hackers are able to target this information from more sources today, from educational institutions to medical providers.
Method of Compromise
Finally, organizations have to consider how hackers are getting inside their systems. The methods of compromise have remained largely unchanged over the last few years, with stolen credentials (passwords) leading the pack last year, contributing to 81 percent of all known breaches.
Beyond this basic method of compromise, firms also need to be aware that malware was involved in 51 percent of breaches, and 25 percent were insider threats – attacks coming from within the organization rather than from outside hackers. Finally, 66 percent of malware-related attacks involved phishing emails.
Are You Safe? Are you Secure?
Answering these three primary questions will significantly help companies assess their own risk of being victims of a data breach, and outline areas for improvement. While you can’t change your organization’s industry, knowing that you’re in a high-risk sector can amplify your efforts to improve security. If you’re collecting prime-target data, you know you need to invest in better ways to encrypt that information and protect access to it. And of course, if you’re using outdated access control solutions, or you’re not properly training your employees in security best practices, you’re definitely increasing your risk factor.
By improving in these areas and deploying more advanced identity and access management infrastructure, any organization can reduce its threat level and enhance security across the board.
*All data breach statistics in this post were taken from the Verizon 2017 Data Breach Investigations Report.