We explore end users' understanding of a variety of cybersecurity topics and how their knowledge levels are impacting security postures across a range of industries.
In total, well more than half — 699 of 1,120, or 62.4% — of the total number of breaches had a question mark tied to them with regard to impacted records. The disparity is mainly due to the lack of disclosure noted in the banking, business, and education categories. It is alarming to see how little is being made public about breaches in these sectors. It certainly appears that consumers benefit from the increased (albeit forced) transparency within the government and healthcare categories, as far as disclosure goes (though that is no doubt offset by the fact that more than 10 million records have been exposed so far this year in those two categories alone).
The even sadder reality of the situation is this: What we don’t know about US data breach totals (to say nothing of global totals) extends far beyond this report. The ITRC self-discloses that its report only includes data from breaches that have been confirmed/published by a “credible source”; items are excluded if the ITRC is “not certain that the source is real and credible.”
That, of course, means that organizations would have to formally — and publicly — disclose a breach in order for it to be counted, which we know is not happening as often as it should. As Adam Levin, Chairman of ITRC report sponsor CyberScout (formerly IDT911), noted back in 2016, “Many [breaches] continue to fly under the radar because many businesses aim to avoid the financial dislocation, liability, and loss of goodwill that comes with disclosure and notification.”
Recognizing the Role of the User in Data Breach Prevention
While cybercriminals are certainly working overtime to infiltrate organizations, the rise in data breaches is partly due to lack of cybersecurity awareness and knowledge among end users. In its end-of-year analysis of the 2017 US data breach landscape, the ITRC and CyberScout noted the following about the sources of identified data breaches:
- Hacking (a category that includes phishing, ransomware/malware, and skimming) was the primary method of attack in 60% of the overall breaches, a 3.2% increase from 2016. It was particularly prevalent in the Business sector, with nearly 40% of organizations attributing their breaches to this type of attack.
- Phishing figured into 21.4% of hacking-based attacks and 14% of Business hacks.
- Ransomware and/or malware was identified in 12.4% of attacks attributed to hacking. It was identified as the source of 8.4% of hacking breaches in the Business sector.18.5% of attacks attributed to hacking.
- Employee-driven factors (i.e., error, negligence, improper disposal, and loss) were the root cause of more than 10% of breaches, resulting in more than 145 million compromised records.
- Accidental online exposure of data was identified in nearly 7% of breaches and more than 8 million compromised records.
In examining these causes, it’s clear that employee behaviors figure into a large number of data breaches — and that human factor is costly. But the question is: Do your employees truly know how to avoid mistakes?
We’d make the case that users can’t forget things that they they’ve never known. Awareness is not knowledge. Simulated phishing attacks — while valuable assessment tools — are not training. And cybersecurity threats extend beyond the phish. To manage end-user risk more effectively, you must give your employees a seat at the table and empower them to be part of the solution — and thoughtful, ongoing security awareness training can help you do just that.
Find End-of-Year Stats in Our SecureWorld Guest Blog
Interested in learning more about the ITRC's statistics through the end of 2017? We compared and analyzed the numbers in a guest blog for SecureWorld, which you can find on the SecureWorld website.
* Per the ITRC: “A breach is defined as an event in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk — either in electronic or paper format. For data breach incidents involving only emails, user names, and/or passwords, the number of records are not included in the overall total number of records.”