We all know the headlines about major data breaches. However, if that were not bad enough behind the headlines are the hard facts that as noted by the authors of the recently released Verizon 2014 Data Breach Investigations Report, “the bad guys are winning.” More of those facts became disturbingly available with the release by security solutions provider SafeNet (News - Alert) of its SafeNet Breach Level Index (BLI) for the first quarter of 2014. It underscores just how bad things are and how fast the situation is escalating.
According to the SafeNet BLI—a complex algorithmic-based way of analyzing breach information to derive amongst several key data points a breach severity rating—more than 200 million records were stolen in the first quarter of 2014. This is the equivalent of roughly 93,000 records stolen every hour. That number is jaw-dropping by itself but the one that stands out is that this represents an increase of 233 percent over the same time last year.
If there is a silver lining in the BLI it is the confirmation of the adage that, “An ounce of prevention is worth a pound of cure.” IT departments would be well-advised to inform their management that of the 254 data breaches that occurred during the quarter, only 1 percent were “secure breaches,” e.g., ones where strong encryption, key management, or authentication solutions protected the data from being used.
A quarter to that is a call to action
Below are some of the key findings of the BLI, which provides details about hundreds of individual data breaches, which can be sorted by source, industry, risk level, and date:
While the variation by sector in terms of number of records compromised versus number of successful breaches is interesting and instructive, one finding that provides context and food for thought deals with identifying those responsible for breaches. Here is a hint. It is not what the headlines might suggest.
Source: SafeNet Breach Level Index (BLI) Q1 2014
There were approximately three breaches and 2.2 million records stolen each day, and more than 93,000 per hour. Additional quarterly breakdowns are available in the BLI Executive Summary.
“The white noise of data breach reporting makes every breach seem just as bad as the last, but this is certainly not the case. Some organizations are handling customer data responsibly, and others are not. Tools like the Breach Level Index can help companies and the public alike understand the actual severity of breaches on a graduated scale and distinguish between these two groups,” said Tsion Gonen, chief strategy officer, SafeNet. “In differentiating between secure and insecure breaches, it’s important to look at which victims have protected their data with encryption to limit the damage from a breach and render the date unusable to cyber criminals.”
He could have added that there is a difference in velocity and ferocity and that just because your sector is not a prime target of those with malicious intent, does not mean that your organization should not be vigilant. In fact, what the headlines do highlight is the diversity of targets that have been selected.
Indeed, there can be some certainty since the bad guys are constantly probing for any vulnerability that if your organization is lax on implementing even basic best practices, the fact that you have not been breached is a “luck of the draw” happenstance and not a function of possibly being in a sector that tends not to draw hacker attention. In addition, the numbers on the “effectiveness” of insider malicious attacks needs to be taken into full consideration.
As noted above these reports can be used as calls to actions, and the recommendation outlined on the SafeNet blog by Trisha Paine, Senior Product Marketing Manager at SafeNet, in comments about the first quarter results are instructive:
At the end of the day, there is not a magic strategy; there is just thorough, well thought out planning. A good battle plan encompasses multiple layers of security in order to protect the kingdom. The important things include:
That said, visualization is important, and taking what could be a somewhat recalcitrant management to the index page might only a take few minutes that could become extremely valuable for obtaining resources to improve your organization’s data risk management posture.