Despite the ongoing threats of cyber criminality, companies continue to fail to adequately protect their valuable data resources, says digital security provider Gemalto Africa identity and data protection manager Neil Cosser.
This was evidenced by the findings in Gemalto’s ‘Breach Level Index’ report, released in March, which revealed that 1 792 data breaches had led to almost 1.4-billion data records being compromised worldwide during 2016 – an increase of 86%, compared with 2015.
“There’s very little that cybercriminals can do today that’s truly new – and yet, 2016 was no different, as industry continued to grapple with serious incidents where data protection is concerned. As technology continues to shift and shape how we connect with brands and each other, personal data has become a highly valuable and lucrative commodity.”
The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used and whether the data was encrypted. By assigning a severity score (running from one to ten) to each breach, the Breach Level Index provides a comparative list of breaches, also distinguishing data breaches that are not serious versus those that are truly impactful. According to the index, more than seven-billion data records have been compromised since 2013 when the index began benchmarking publicly disclosed data breaches.
Gemalto VP and data protection chief technology officer Jason Hart highlights that the Breach Level Index outlines four major cybercriminal trends over the past year. Hackers are casting a wider net and are using easily attainable account and identity information as a starting point for high-value targets.
“Fraudsters are also shifting from attacks targeted at financial organisations to infiltrating large databases, such as entertainment and social media sites, and have been using encryption to make breached data unreadable, then holding it for ransom and decrypting it once they are paid.”
Identity theft was the leading type of data breach in 2016, accounting for 59% of all data breaches. Cosser explains that, by gaining access to personal data, cybercriminals can extort money from victims to avoid having their private information made public.
“These kinds of attacks are making data breaches much more personal than other security incidents, which typically involve ransom against companies or the theft of financial data that does not expose users to public scrutiny.”
South African breaches increased from six in 2015 to 11 in 2016. Overall, from 2015 to 2016, government had to contend with the most attacks – reported at nearly 60% in 2016, compared with 50% reported in the previous year. Government entities, including the Department of Water Affairs and Sanitation as well as the Government Communications and Information Services, accounted for the 5 800 and 33 000 records respectively breached in 2016.
“Governments hold large volumes of citizen data or personal identifiable information that would allow for identity theft. If they are successful in penetrating a government department, cybercriminals can potentially walk away with a huge number of identities – a pretty good return on investment for one attack.”
Cosser stresses that a key message of the 2016 Breach Level Index report is that, as threats continue to multiply and increase in sophistication, it is more important than ever that organisations maintain awareness of current security trends.
In addition to taking more comprehensive steps to ensure data security, he warns that companies need to protect their reputations by educating their customers on the security measures that are in place.
“Consumers have clearly made the decision that they are prepared to take risks when it comes to their security, but should anything go wrong, they will . . . blame the business. The modern-day consumer is all about convenience and they expect businesses to provide this while keeping their data safe.”
With the impending threats of consumers taking legal action against companies, Cosser points out that an education process is clearly needed to show consumers the steps they need to take to protect their data. Implementing and then educating consumers about advanced protocols, such as two-factor authentication and encryption solutions, will demonstrate that the protection of their personal data is being taken very seriously.
Further, as a result of relentless news coverage of security breaches and data loss, many governments globally are considering introducing or are in the process of introducing legislation that will help protect the personal data of citizens.
“There are obvious signs that significant risks lie ahead if companies do nothing to change how they protect data because these new regulations will have major implications for all the ways in which data is collected, stored, accessed and secured.”
Compliance will have an impact on the processes, technology and manner in which stakeholders – particularly within the employer and employee parameters – handle and process personal information, he concludes.