As 2014 kicks off, we take a moment to reflect on the data breaches of 2013. A few staggering statistics jump off the page. according to Risk Based Security, Inc., 2013 had about A THIRD LESS data breaches reported/cataloged than 2012 (3,140 in 2012 vs. 2,146 in 2013).
Good news, right? Not completely. The total number of records breached grew from 260 million (2012) to 822 million (2013). The average number of records exposed in each breach increased nearly 5 times from 83,870 to over 383,000.
Additionally, 8 of the top 15 largest breaches of all time occurred in 2013.
Why is Frequency Decreasing but Severity Increasing?
- Preventable breaches: Encryption technology is now employed by many organizations on portable devices such as laptops, mobile phones, backup tapes and USB drives. Proper encryption can turn a lost laptop situation from a multi-million dollar expense and liability into a simple $500 equipment replacement.
- Hacker sophistication: Much like their victim companies, hacking organizations learn from each breach. Funding their illicit activities while keeping risk vs. reward in mind is causing them to pick targets carefully, as maximum ‘payoff’ is key.
What Should we Expect in 2014?
- With new breaches reported each day, and more organizations purchasing cyber insurance, cyber carriers are increasingly paying losses. Look for market impacts such as deductibles/retentions, premium rates, and insurer appetite to evolve.
- Government/industry regulation: With all of the large breaches in 2013, expect governments and industry associations to intensify their focus on best practices in security and penalties for non-compliance.
- Consumer attitudes: Smaller, more frequent breaches, had desensitized consumers over the past few years from outrage or dissatisfaction. However, larger breaches in 2013, debated heavily in social media, have turned data breaches into highly discussed concerns which could shift consumer attitudes towards various organizations.