Posted on Dec 9, 2019
This past year has been quite a year for data breaches. From DoorDash to FEMA, billions of records were breached in 2019, causing millions of dollars in damage. Criminals phished, targeted small businesses and used psychological as well as technological attacks to make money, spy on competitors, and generally cause mayhem.
What data breach trends were big this past year? And what should you be looking for in 2020? Here are some of the most recent data breach trends and statistics.
The first half of 2019 saw 3,800 publicly disclosed breaches and 4.1 billion records exposed, according to data from Norton. That’s a 54% increase in reported breaches compared to the same time period in 2018.
Those breaches cost companies big — The Ponemon Institute’s Cost of a Data Breach report puts the total cost of a breach at $3.92 million dollars — each lost record represents a cost of $150. The biggest contributor to breach costs? According to Ponemon, it’s loss of consumer trust and it can impact an organization for years; a third of the data breach costs studied by Ponemon affected the companies more than one year after the breach itself.
If you work for a small or mid-sized business, you may think you’re beneath the notice of bad actors. You’re not; over the past three years, the number of small businesses that have suffered a cyberattack has increased sharply.
Why? Perhaps because small businesses aren’t prepared for an attack; Ponemon’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report found that just 30% of the small businesses surveyed believe their IT security posture is strong against threats. This may come down to a lack of resources: 77% said they didn’t have the personnel to mitigate cyber risks and breaches, 55% didn’t have the budget, and 45% didn’t know how to protect themselves against attacks.
Unfortunately, the lack of resources means that breaches have more of an impact on smaller companies. Ponemon found that organizations with between 500 and 1,000 employees had an average data breach cost of $2.65 million, or $3,533 per employee as opposed to large organizations, which averaged $204 per employee. This makes it hard for small to medium-sized businesses to recover from a breach.
Cybercriminals are often stereotyped as targeting technology, but bad actors are hacking human behavior as often as they hack networks and systems, using psychological tricks to scam personnel into divulging important information, such as credentials, financial information or other sensitive data — or into unwittingly downloading malware.
Phishing scams started to see a resurgence in 2018 and remained big in 2019, accounting for a quarter of all cyber insurance claims. Many of the attacks had social engineering elements to them - Security Boulevard reports that 85% of organizations saw phishing and social engineering attacks in the past year — an increase of 16% in one year.
Cybercriminals are increasingly targeting third parties that work with a lot of other companies. American Medical Collection Agency, for example, handled billing for several healthcare groups, and therefore handled sensitive data for other clients. Evite’s hack earlier this year was also a vendor attack, because Evite although the company is a B2C, it’s also a B2B, and client data was exposed.
Vendor breaches allow criminals to do a couple of things — bad actors can access large enterprises through small, less secure vendors in their extended ecosystems, or they can gain access to several large enterprises through a provider that works with many big clients. No matter how they access your data, however, you’re just as at fault if criminals breach one of your vendors as if they breaches your own network, and once again, those breaches will cost you – according to Ponemon, if a third party causes a data breach, the cost of the attack increases by more than $370,000.
Many attacks went undiscovered for months in 2019. American Medical Collection Agency, for example, experienced a breach that started August 1, 2018 and was discovered on March 30, 2019, while Georgia Tech was first breached on December 14, 2018 —that attack was found on March 22, 2019.
Both these situations are typical. According to Ponemon’s Cost of a Data Breach Report, the mean time to discover and fix a breach is 279 days — the better part of a year. The faster a breach is found and contained, however, the less of an impact it has.
Catching attacks early – whether those attacks are aimed at your networks, or those of your third parties — is vital in limiting the impact of breaches.
Automated tools, like SecurityScorecard’s threat reconnaissance engine, are vital in helping your scan for breaches and attacks at all times. We help you and your organization’s business stakeholders to continuously monitor the most important cyber security KPIs for your organization and extended enterprise, using our own proprietary information, commercial, and open source threat intelligence to identify threats.
Once a risk is identified, we deliver actionable security intelligence that enables security and risk management teams to find and reduce vulnerabilities before bad actors can exploit them, limiting your risk.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.