Data Breaches on the Rise
Data breaches have become a staple of news headlines in recent years, as more states require organizations to disclose such events to consumers
In 2003, California enacted the nation's first notice-of-security-breach law. Since then, 37 other states and the District of Columbia have followed with their own laws, according to Consumers Union. Against that backdrop, incident reports have skyrocketed. Etiolated.org, which uses data from Attrition.org, shows that 4,960 records were lost or stolen in 2002. In 2007, that number grew to 162,563,703.
on Gossels, president and CEO of SystemExperts Corp ., a security and compliance consulting firm, noted the rise in disclosures since the passage of state notification laws. "It's not clear to me that the actual number of breaches is changing, but clearly there have been some highly visible ones in the past year," he said.
Recent transgressions include the TJX Companies, Inc . breach, which is reckoned to be the largest ever. TJX, the parent of retail chains including TJ Maxx, announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.
Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker's ingenuity. He cited organizations that fail to encrypt data on portable devices, which can be lost or stolen. "The fundamental problem is a lack of security and cyber risks awareness," Johnson said. "Employees weren't aware of the cyber risk involved, so they didn't take the appropriate precautions."
The case of HM Revenue & Customs, the United Kingdom's tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing the personal information of 25 million people. In a similar scenario, a laptop containing data on 26 million veterans was stolen in 2006 from the home of a U.S. Department of Veterans Affairs data analyst.
As for active theft, some security analysts report a rise in organized, profit-motivated attacks. Sumit Pal, executive vice president of WithumSmith+Brown Global Assurance, LLC, a security and compliance consulting firm, noted increasing activity among what he termed criminal gangs that steal personal data and sell it for $1 to $10 per record.
Marty Lindner, a senior member of the technical staff at Carnegie Mellon University's Software Engineering Institute, said cyber-attacks will continue as long as they are profitable. "There's no indication that it is becoming less profitable," he said.
The lure of a profitable hit has motivated network assailants to take an unrelenting approach. In the TJX case, for instance, the first unauthorized access took place in July 2005, with subsequent intrusions in 2005 and between mid-May 2006 and mid-January 2007, according to the company's SEC filing. "One of the things we are seeing with the TJX model is the attacker is persistent," Gossels said. "In the past … somebody was joyriding. Now, more and more, we are seeing persistent, subtle attacks."
Protecting data from loss or theft starts with an organization understanding its sensitive data and where it resides, according to security consultants. "Many customers don't really have a good grip on where all their sensitive data is," Johnson said. Pal also suggested that organizations classify their data according to sensitivity and educate employees on the policies and procedures for handling various kinds of data.
Another mechanism for improving cybersecurity is to handle only the data that is essential to a given task. According to Johnson, organizations commonly extract data sets for processing that contain much more information than necessary. For example, a company may take a whole Excel file rather than the relevant portions. "Few organizations have policies and procedures in place to scrub the data before it is downloaded or processed," Johnson said.
Lindner pointed out that an attacker bent on identity theft needs more than a credit card number. The more personal data an enterprise collects, the more conditions become ripe for identity theft. "Don't record things you don't actually need," he said.
But while businesses should take care to follow best security practices, consumers should also share some of the burden. "Consumers are putting a lot more trust in the companies they do business with than I think is a good idea," Lindner said. "The user/consumer is not spending much time understanding the risk they are putting themselves into when they give any kind of personal information to a third party."
Lindner offered the example of a website registration process in which a user is asked to provide their mother's maiden name as the answer to a "secret question." A truthful answer could help an identity thief. He recommended making up an answer and storing it securely.
"It's a balancing act," Lindner said. "Companies need to do more and consumers need to do more."
How to prevent data breaches with Cybersecurity software?
Among the various steps, companies can take to reduce data breaches affecting your ability to work and destroy your reputation on the market as an organization, the risk of data breaches and malware protection is serious. Below are the proven ways to prevent data breaches from occurring at your company.
- Limited access to confidential resources
When you limit who can access certain documents, you restrict the pool of employees who might accidentally click on a spam link. This way, you not only save your employees from installing viruses but also secure your valuable data.
- Install Best Cybersecurity software
Cybersecurity platforms today offer Cybersecurity software with the most powerful security features for the privacy of an individual or business. Besides cyber threat detection and response, it protects the applications, systems, and networks from cyber-attacks. It also helps prevent unauthorized data access, theft identification, and cyber-attacks. Robust Cybersecurity software offers malware protection, unlimited scanning, network view, appearing threat notifications, secure network traffic, multi-layered security with encryption, and connection blockage from unrecognized networks.
- Develop a data breach plan
Leading businesses always have an established sound data breach response plan. They never become victims of the fallacy that it will never happen to them because it hasn't occurred to them yet. In the past years, large companies that encountered criminals break-in and data-stealing records were reluctant to make this public.