What recent industry data leaks tell us about CYBER-SECURITY

by Mark Wah, Principal Product Manager at Citrix 

The cat and mouse game of hackers chasing data and organizations working to secure their customers’ personal information continues, requiring security teams to regularly review their policies to keep up with the latest moves in the industry.

One of the best ways to predict the developing methods of hackers is to review recent data leaks, deciphering any standout trends. Such research has recently been conducted by Citrix ShareFile, giving us insight into where, and how, US data leaks might occur in the future.

Healthcare data is highly sought after

The data predominantly focuses on the industries that are most heavily affected by data leaks, with healthcare leading the way by a significant margin.

328 breaches were disclosed in 2017, amounting to over 5 million compromised records. Consider the level of depth that many healthcare offices and businesses contain, and it’s no surprise that they are so often in the hacker’s crosshairs. Medical histories, payment information, and social security numbers make their data a valuable catch in the eyes of hackers.

Given how sought-after their data can be, the healthcare industry often doesn’t protect itself as well as it should. Hospitals and doctors’ offices are often run like small-to-medium sized businesses, where one of the first budgets to be cut is data security. Combine high-value data with low-level security, and you can see why healthcare data breaches were estimated to cost the industry over $1.1 billion in 2017.

Other heavily-affected industries are technology, retail, and finance – with each costing their industry over $140 million due to data leaks.

Industries at risk can be usually be identified by high-value data or low-level security (or a combination of the two).

Healthcare data can be particularly lucrative, due to its high value on the dark web. Hackers can charge up to $1,000 per record for healthcare, much higher than other areas such as credit card information. This also accounts for the technology and finance industries – who hold a broad range of high-value data.

Retail on the other hand only holds addresses and credit card information. For fraudsters, this is only likely to lead to a one-or-two use basis before the holder of the account reports the activity and shuts it down. The appeal stems from the industry’s failure to fully protect itself from threats.

Small businesses are becoming bigger targets

Big businesses mean bigger prizes for hackers, but the increased security ramps up the difficulty level and lowers the chance of claiming that prize. As a result, the evidence suggests that hackers are increasingly turning their attention to smaller businesses. The gains are smaller, but the chance of success is higher.

As mentioned above, healthcare is an obvious target due to the sensitive nature of the data, but another example comes from the retail industry. Smaller retailers may not make the correct level of investment in cybersecurity, and with personal information and credit card details on offer, data theft is commonplace.

One example in 2017 came from Spiral Toys. 2 million records were reportedly compromised after it was discovered voice recordings of owners of their CloudPets toy were being stored online without adequate protection.

Ultimately, it only affirms the importance of cybersecurity to businesses of any size.

It costs the US economy a lot of money

Without proper investment in cybersecurity, you could end up contributing to a near $2 billion cost to the US industry. That was the estimated damage throughout the US in 2017, at an average of $3.62 million per breach.

According to data from Statista, 76% of consumer businesses in the US commit less than 8% of their annual IT budget to cybersecurity. Some businesses have sought to cover themselves with cyber liability insurance, but often it doesn’t cover the cost. Target, for example, could only recoup 36% of it’s $252 million cost for a breach in 2013.

Given the risk to a business, both financially and in irreversible damage to an organization’s reputation, higher cybersecurity budgets may be needed to tackle the issue.

Educating employees and employers is key

551 data breaches affecting US citizens were reported in 2017, and whilst 58% was a result of hacking or malware, unintended disclosure (27%) and physical loss (11%) are also significant threats.

Indeed, the biggest data breach in 2017 came from unintended disclosure. A faulty backup at River City Media accidentally placed over 1.3 billion records online – exposing data such as email and IP addresses.

Recognizing the different ways that data leaks can occur helps identify gaps in your organization and educate staff on the potential risks. Employees are often lax in their approach to cybersecurity, or simply don’t know that their actions could lead to a data leak.

As a minimum, companies should implement a stringent password policy, multi-factor authentication, anti-virus and encryption protections. Staff training should occur on a regular basis. Ensure staff is able to recognize social engineering and anti-phishing attempts and stay on top of the latest developments in data protection policy. The recent introduction of General Data Protection Regulation (GDPR) by the European Union is a good example of how businesses need to react to changes in policy and offer regular refresher training to ensure staff awareness remains high.

Firstly, however, the importance of cybersecurity needs to be acknowledged at C-Level. Data leaks often occur due to a lack of appreciation of the risks to an individual business, or an “it won’t happen to us” attitude – solving this starts at the very top. On the other hand, cybersecurity professionals operate more on a “when a breach will happen” basis rather than “if”.

Non-compliance can be catastrophic for the business in question. Under GDPR for example, the maximum penalty for non-compliance is up to €20 million ($23.2 million) or 4% of annual turnover – and that is before you consider the potential damage to a companies reputation.

Predicting the future of cybersecurity

The number of reported data breaches hasn’t risen significantly over the last decade – the concern surrounds the amount of data that is stolen.

Hackers are becoming better at stealing larger chunks of data. The 1.9 billion files compromised in 2017 is the second-highest of the last decade (behind a peak of 4.8 billion in 2016) – 2018 is forecast to top last year’s figure.

The biggest flaw? It’s no surprise that cybersecurity experts agree it’s still, and likely always will be, humans. Protecting key customer data needs buy-in from every single employee in an organization, not just the IT staff.

About the Author

Mark Wah, Principal Product Manager at Citrix Mark Wah is a Principal Product Manager with the Citrix Workspace Content Collaboration team with a focus on security and compliance. He was a Senior Product Manager at IBM Security where he managed a portfolio of Data Security Services that covers IBM Security Guardium, Cloud Data Security solutions and Data Loss Prevention (DLP) and Cloud Access Security Brokers (CASB). He also worked as a Senior Product Manager at RSA covering RSA DLP and RSA Security Analytics Malware Analysis module. He was a software engineer for more than 10 years covering DLP, information management, and business continuity solutions at both RSA and EMC. He is a co-author of patents in the areas of Information Management, Information Classification and Database Fingerprinting