May is not yet over. There are still seven months to go before 2015 arrives, yet Internet security experts are already calling 2014 the year of the data breach. The situation is bad and it is expected to get worse. Before the year draws to a close, many millions of Internet and email users will discover they have had their computers infected with viruses or have become victims of Internet fraud.
The U.S. Healthcare industry has been hit particularly hard this year. In February, Anthem Inc. discovered a hacker had infiltrated its computer network and stole 78.8 million insurance records. Just days later, Premera Blue Cross, another U.S health insurer, uncovered a similar cyber attack that exposed the records of 11 million subscribers. The month of February was just over halfway through, but more confidential healthcare records had been exposed than in the whole of 2012 and 2013 combined.
Then there was the cyberattack on Target. Up until February 1, Bloomberg BusinessWeek calculated the retailer had spent approximately $61 million to cover data breach resolution costs. All three of these data breaches were suffered by large organizations who had invested heavily in data and network security systems. Yet despite the investment they still suffered massive data breaches.
What makes the Target data breach stand out though is the fact that the company’s security system actually detected the intrusion. For some reason, Target decided to do nothing about it. To state the obvious, this was a mistake. So far over 100 separate lawsuits have been filed against the retailer, in the most part citing negligence for failing to protect customer data and not taking action quickly enough when the breach was discovered.
The attack exposed the records of over 110 million customers and the banks have already been forced to spend in excess of $200 million as a result. When the lawsuits are resolved, the final cost of the data breach doesn’t even bear thinking about. Typically, data breach victims seek damages of around $1,000 a head.
Then there was Heartbleed. For those who somehow missed it, this was one of the biggest and potentially most serious security vulnerabilities ever discovered. It would appear that the bug was identified in time to allow companies to prevent it from being exploited. However, that is difficult to ascertain with any degree of certainty. If the security vulnerability was exploited, there would be no way of telling whether data had been stolen.
The cost of plugging this security hole was considerable. Companies were forced to take rapid action to secure their networks and computers before hackers could take advantage. The same cannot be said of consumers. It would appear that little has been done to protect against the bug. Following the announcement very few individuals have even changed their passwords or taken other steps to protect themselves. A recent survey conducted by MarketWatch indicates that little has been done because consumers are not even aware of the Heartbleed bug. Half of those surveyed had never even heard of it, let alone the actions they need to take to protect themselves from attack.
Many of the major data breaches suffered this year did not actually occur in 2014. Hackers first gained access to networks last year or even earlier. This was the case with Anthem, Premera, and also Neiman Marcus, another major data breach uncovered this year. That attack was also discovered in February 2014, which could become known as “the month of the data breach”.
For the past eight months, Neiman Marcus’s systems have been open to hackers. Such a breach should have triggered the company’s security system. Which it would have approximately 60,000 times had that security feature not been inadvertently turned off. Suspicious server activity was unfortunately not being monitored.
These data breaches have proved very costly indeed. According to the Ponemon Institute, the cost of resolving data breaches has increased again this year making matters worse for companies attacked by hackers.
Security systems are excellent, but what about the security staff?
It is all very well installing multi-million-dollar cybersecurity defenses, but if skilled staff are not employed to interpret the data, when networks are infiltrated by hackers intrusions may not be discovered until many months later. This was certainly the case at Neiman Marcus, but also at Target. Had the system been checked, Target would have been made aware that its defenses had been turned off. It took a full post-breach audit to determine this was the case. This should have been checked on a regular basis. Doing so may not have prevented the breach, but it could have reduced the damage caused.
The problem for many IT departments, CISOs and CIOs is a lack of funding. Organizations appreciate that money must be allocated to counter the cybersecurity threat, but too little is being spent. This was highlighted by the Ponemon Institute study. Respondents indicated that a doubling of the security budget is necessary to counter the threat, install better security, allow audits to take place, and to employ the staff necessary to monitor systems for signs of attack. If security budgets do not increase, data breaches certainly will.