Data Security Risks: The Bad News and The Good News
The Bad News.
Data breaches are on the rise. The Identity Theft Resource Center (ITRC), which has been tracking data security risks since 2005, released a report in which it counted 430 data breaches between April 2016 and April 2017. This shows a 37% increase from 2015-2016, according to Credit Union Times. This is a scary thought when we consider that ITRC found 2016 to be a record year for data breaches, according to Bloomberg.
It gets worse. A cybersecurity survey conducted by EiQ found that small to medium-sized businesses (SMB) were not prepared for a cybersecurity breach. Out of approximately 150 IT security personnel, 86% responded that their company has underfunded security initiatives, and 56% said their organizations are unprepared to identify and respond to cyberattacks. EiQ states that cybersecurity is a small fraction of many companies’ IT budgets, indicating that cybersecurity isn’t as big a priority as other technological initiatives. The National Center for the Middle Market, out of Ohio State University, has a Cybersecurity Resource Center tailor-made for midsize companies, which may feel the harm of inadequate resources to counter data security breaches.
It would appear that larger organizations fare better, as they tend to have more resources to maintain effective data security programs. However, data security breaches constantly spatter news headlines, like the ones at Yahoo and the US Internal Revenue Service. Additionally, laws like the GDPR, UK Privacy Shield, and New York’s Cybersecurity Regulations require adequate third-party data security management, including vendors and outside law firms. The Association of Corporate Counsel‘s Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information is a guide that can help companies prepare.
Ultimately, companies of all sizes and resources should be investing in enhanced cybersecurity.
The Not-so-Bad News.
Some industries did better than others. In fact, the ITRC survey found that healthcare and financial services experienced declines in data breaches compared to the prior year. Meanwhile the educational industry, the government/military, and the”business” industry (which includes all other industries, like retail and professional services) experienced more. This should not be surprising to some folks, as both the financial services and healthcare industries are highly regulated by federal data privacy laws like the Gramm-Leach-Bliley Act and HIPAA, respectively.
Even though financial services’ data breaches dropped by more than 50% (4.1% to 1.9%), a global study by Capgemini showed that only 21% of 183 surveyed senior data privacy and security professionals at financial services companies were”highly confident” in their organization’s ability to detect a data breach, creating data security risks. This uncertainty wasn’t relegated to the SMB group, either. Forty percent of the surveyed professionals came from companies with revenues of $10 billion or more. To help with these issues, the Federal Financial Institutions Examination Council (FFIEC) offers a variety of cybersecurity resources for financial institutions.
Further, the lower occurrence of data breaches in healthcare does not mean that they don’t occur. The US Department of Health and Human Services fined a hospital that ignored the security risk to patients’ ePHI. It had knowledge of data breaches, but did little, if anything, to counter them over a course of many years. Data breaches can have unforeseen consequences for healthcare companies’ business and customers, such as botched business deals and vendor pull outs in addition to decreased consumer confidence in an affected company’s reputation.
The Good News.
Nonetheless, many companies should be applauded for their efforts at minimizing data security risks. Many have chosen to invest in training.
Conduct training can be an effective way to mitigate data breaches, as human error is a huge risk to cybersecurity. A Ponemon Institute report on closing data security gaps shows that insider negligence is the leading cause of data loss or theft. The National Center for the Middle Market explains:
Employees are your biggest cybersecurity risk–and also, potentially, your biggest asset. Cybersecurity is everybody’s job and mistakes by employees, contractors, and vendors – using weak passwords, opening attachments from an unfamiliar source, misconfigured settings – lead to the overwhelming majority of successful attacks.
Scams are becoming more sophisticated; common sense isn’t enough to protect employees anymore. As long as employees have access to personal or sensitive information, they can be a risk even in the most sophisticated data security program. They need training to teach them to recognize the more subtle forms of persuasion, like phishing scams. Attacks like these are known as social engineering – trying to trick people into doing something that they would never do if fully cognizant of their actions. Data security training can mitigate these real data security risks.