You’re probably familiar with the test of showing someone a glass filled halfway with water and asking them whether it is half-full or half-empty. If they see the former, they’re optimistic by nature, and pessimistic if they think the latter. The 2018 data breach statistics are rolling in now from a number of vendors and research organizations, and if you ask me whether they show a glass half-full or half-empty, I’ll say “both”.
The Glass is Half-Full
The headline of a recent article by Dark Reading’s Jai Vijayan does not inspire optimism: “2018 Was Second-Most Active Year for Data Breaches.” Jai dives into a new Risk Based Security report that reveals more than 6,500 data breaches were reported in 2018.
But here’s the good news: that marks a 3.2% decline from the 6,728 breaches reported in 2017. Roughly 5 billion records were exposed, which is about 36% less than the nearly 8 billion records exposed in 2017.
Of course, those 2018 numbers are still much too high. But perhaps we’re seeing evidence that the cybersecurity industry’s collective effort to educate government agencies and companies of the need to prioritize security is working. Maybe there’s reason to believe that we’ll see this downward trend continue through 2019.
Then again, maybe not…
The Glass is Half-Empty
Jai’s colleague Kelly Sheridan writes that while the number of reported data breaches dropped in 2018, “the number of sensitive consumer records exposed increased 126% year-over-year.” That’s one of the key findings of the Identity Theft Resource Center’s (ITRC) “2018 End-of-Year Data Breach Report.”
The ITRC found that the number of consumer records containing personally identifiable information (PII) significantly increased from 197.6 million to 446.5 million – that’s a jump of 126%. And the news gets worse: the ITRC warns the actual total number of records exposed is probably higher due to the fact that only half of reported breaches disclosed specific numbers of exposed records.
It’s even difficult to determine whether a particular industry is doing better, worse, or the same when it comes to protecting sensitive information.
Consider the healthcare sector, which Jai notes is “often denigrated for having poor security.” According to the Risk Based Security report, financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year. However, the medical and education sectors combined exposed less than 10 million records.
Yet, the ITRC found healthcare organizations had the second-highest number of breaches (363) and the highest rate of exposure at 9.92 million records total.
What is not up for debate is the fact that the healthcare industry has become a prime target for cyber thieves. Stolen medical records command a premium price on the black market – up to $1,000, according to CNBC.
Interestingly, both reports show that hacking by malicious external actors is still the leading case for most breaches.
So, where does this leave us? There’s no doubt organizations are aware of the threat, yet remain overwhelmed by the sheer volume of attacks that target them every day, struggle to hire enough qualified professionals, and worry they are unable to avoid suffering a data breach. These are all certain to be hot button issues at RSA 2019 next month.