Gemalto has recently released an updated Breach Level Index, which records information about the records lost since 2013. According to the time of this article, 2.98 billion records have been lost since 2013. For 2014, more than 1,500 data breaches led to over one billion data records compromised worldwide, a 49% increase in data breaches and a 78% increase in data records breached over 2013 figures.
The Breach Level Index (BLI) is a global database of data breaches which calculates “severity” on multiple dimensions, including type of data and number of records stolen, the source of the breach, and whether or not the data was encrypted. Previously tracked by SafeNet, acquired by Gemalto, these figures focus less on the number of breaches and more on the number of records exposed, in its analysis of data breaches.
The BLI data shows that 54% of all data breaches in 2014 were motivated by identity theft, which also accounted for one-third of the most severe data breaches. Tsion Gonen, Vice-President of Strategy for Identity and Data Protection at Gemalto, postulates the cybercriminals are shifting to more open-ended data, which can be used for multiple types of fraud. We have seen this same shift in the ever-increasing value of healthcare data, which is also a flexible form of data for fraud purposes.
In the past, a lot of attention has been paid to the dominance of the healthcare industry for data breaches, but the BLI shows that the retail and financial services industries are noticeably experiencing more breaches. In the financial services sector, for example, the number of data breaches, while remaining fairly flat, have increased ten-fold in number of records lost per breach, moving from 112,000 to 1.1 million records breached in 2014.
In only 4% of recorded data breach cases was data encrypted. This, clearly, isn’t good enough. Organizations must do a better job of safeguarding data from targeted attacks, protecting all possible attack vectors from network to endpoint. If, as Tsion Gonen suggests, “being breached is not a question of ‘if’ but ‘when,’” and if data breaches are becoming more severe, then how can organizations respond? As Gemalto suggests, a focus on the data becomes central to IT security.
At Absolute Software, we advocate for a layered approach to data security, one which defines data by the individual, giving you greater control over understanding what data access is needed, where the data is being used and how to respond if a security incident occurs. A data or user-centric policy would consider technology, internal processes and user education as vital to protecting data. Tools such as encryption would be just one layer in the approach, supplemented by tools such as Absolute Computrace which can provide an audit trail on the status of encryption as well as the ability to remotely delete data from lost laptops, tablets and smartphones.