Navigating the Data Breach Landscape: A 2023 Overview
In today’s digital landscape, high-profile data breaches dominate news headlines. Almost every week, another significant breach sends shockwaves through the industry.
In August, the UK’s Metropolitan Police Force fell victim to a breach involving the theft of officers’ names, rank and photos. This was close on the heels of a similar breach in the Northern Irish Police Force.
The year started badly with 220M Twitter records sold on the dark web. In March, telco giant AT&T suffered the theft of 9M customer records and a LastPass compromise resulted in the theft of user password vaults. In July, Tigo, China’s most popular video chat service, was the victim of 146M stolen user records. In the same month, the now infamous MoveIT attack occurred with far-reaching consequences for 600 (and rising) different organisations. The UK Electoral Commission also revealed a data theft involving 40M UK voters.
These breaches all share a common theme – their targets were high-profile enterprises or organisations.
This raises a pressing question for businesses outside the realm of the FTSE-100: “Should I truly be concerned about data breaches impacting my non-mega corporation?”
While the final decision rests in your hands, this article should equip you with information, facts and insight to help you answer this question.
Safeguarding your business
Mercer’s 2023 Global Risks Report outlines the size of the challenge by ranking “Cybercrime and Data Breach” at the 8th most pressing risk on a global scale. This is surpassed only by threats like climate change, biodiversity loss, mass migration and global resource crises. The report underscores the escalating danger cyber threats pose as our reliance on digital data and AI deepens.
What does this mean in the more modest scope of our question – what about MY enterprise?
Incidents of data theft and breaches are on the rise globally. IBM‘s Data Breach Report reports a staggering 83% of organizations experienced at least one data breach throughout 2022. Financial repercussions have also risen, with incurred costs increasing by over 15% when compared to 2020.
In the UK, businesses of any size face a 40% annual risk of falling victim to a data breach. While the average monetary toll hovers around £20,000, it’s crucial to recognise that this figure merely scratches the surface. The intangible aftermath, including the loss of customer trust, shareholder concerns and the lasting impact on brand reputation, are unaccounted for in this figure. IBM’s insights reveal a more comprehensive perspective, placing the average cost of a breach, including these intangibles, closer to a more concerning $5 million.
However, data breaches are a pervasive and persistent threat. Businesses that have survived one breach find themselves 83% likely to encounter a repeat incident within a year.
PII v IP
The term “data breach” conjures up images of stolen identities and personal information. However, this overlooks the broader scope of what constitutes a data breach. A data breach entails an ‘unauthorized disclosure of data‘.
While Personal Identifiable Information (PII) like names, addresses, and emails is a frequent target, data breaches extend far beyond identity theft. Intellectual Property (IP) or business-sensitive data must also be considered. This includes business assets such as financial information, customer lists, client data, pricing strategies, R&D and trade secrets.
There is currently a global trend towards tightening Data Sovereignty (DS) which aims to protect an individual’s data and privacy. DS refers to the regulatory and policy governance at a global or regional level. Frameworks like GDPR and legislation like the Data Protection Act fall under this umbrella. A grim testament that these policies are needed is that almost 400 million personal records were stolen in 1802 breaches during 2022, a trend that seems set to continue this year.
When it comes to protecting against IP theft, fewer regulations exist. Non-PII data theft doesn’t require mandatory disclosure. The value of core IP and intangible assets to a business should not be underestimated. They can account for 50% of a company’s overall worth. This figure can climb even higher for businesses heavily reliant on IP.
Types of adversaries who target these different types of data can also differ. PII attracts hackers aiming to monetize stolen information on the dark web. Whereas IP is more of a target for espionage, insider attacks, or even nation-state actors seeking to sell to competitors or exploit the assets for personal gain.
Businesses at risk in the digital age
In an ever-evolving landscape of cyber threats, the question isn’t whether a business is at risk, but rather what kind of business isn’t at risk. If your enterprise possesses something valuable, whether it’s customer data, IP, proprietary knowledge, or financial resources, then you are a potential target.
The notion that size or perceived insignificance shields you from attack is a misconception. In fact, it may make you even more susceptible. The adversaries behind these breaches are astute. They recognize that businesses dismissing themselves as too small or unremarkable are ideal candidates. While larger corporations with extensive cyber coverage make a substantial reward for a successful breach, a smaller hacking team can still reap significant gains from smaller, less secure businesses.
The recent shift to hybrid working has compounded these risks. As employees demand seamless access to data, the home network’s vulnerabilities often become an unintended gateway to the corporate network. Hybrid working has inadvertently widened the playing field for cyber adversaries.
For non-PII data theft, certain sectors stand out as prime targets. High-intensity IP-centric industries like finance, accounting, legal firms, insurance, and R&D entities including biotech, life sciences, pharma, and universities are inherently more vulnerable. For those seeking maximum disruption, government bodies and the health sector remain alluring targets. Also attractive are technology-dependent businesses such as the IT sector.
So, just how substantial is the risk? The impending Digital Operational Resilience Act (DORA) casts a stark light on the situation. A staggering 78% of surveyed financial institutions found themselves entangled in third-party data breaches, a figure that escalated to 84% when considering fourth parties. The situation is further underscored by a report from the National Cyber Security Centre (NCSC) which cites that 75% of solicitor firms surveyed by the Solicitors Regulation Authority (SRA) in 2020 had fallen victim to cyber-attacks.
The surge in remote working has been a key catalyst in a 300% increase in attacks on accountancy firms. Similarly, the Insurance sector remains an attractive target. 70% of Life Sciences organisations have reported an increase in data loss incidents over the past year.
What truly is at risk in a data breach?
As highlighted earlier, the average financial toll of a breach for a UK business stands at £20,000. However, the true cost of a data breach extends well beyond the immediate financial implications, to a staggering average of $5 million when broader consequences of the breach are considered.
1) Customer Trust: A cornerstone of any successful business is reputation. As it is not mandatory to declare IP data theft, a true estimate of reputational damage is difficult. The loss of clients, abnormal customer turnover and damage to brand equity potentially account for 40-50% of the $5M figure. The truth is, that following a data breach, 60% of people would contemplate severing their ties with a business.
2) Financial Trust: As the financials are hit post-breach, shareholder trust can be impacted. According to estimates by the Harvard Business Review, the aftermath of a breach could lead to a 7.5% decline in stock levels.
The different types of data breach
Previously, we established that a data breach is an “unauthorized disclosure of data.” Actually, data breaches are multi-dimensional, with various categories, each requiring its own distinct cybersecurity measures.
1) Physical Data Breach: This involves the physical removal of data through tangible means. It’s more than just misplacing a client file; it includes scenarios like printed materials, data copied onto a USB drive, or the loss of an unencrypted device containing sensitive information.
2) Application Data Breach: This involves the extraction of data through desktop or web applications. Such as disclosing data in email contents or attachments, or data uploaded to cloud storage.
3) Network Data Breach: This involves the extraction of data through covert channels within an IT network. This might entail the accidental or malicious transfer of data to a compromised endpoint. Frequently, we can see early signs of this sort of breach from malware or hacker attempts to brute-force passwords or undertake network surveillance.
4) Supply Chain Data Breach: This involves data loss not from the originating business but from a third-party supplier. As more data is entrusted to external entities within the supply chain, this risk is growing. The MoveIT attack (above) is an example of this type of breach.
Bridging the gap in today’s IT defences
Whilst organisations such as regional Cyber Resilience Centres, the NCSC, or the NSA in the US, provide independent advice on cyber hygiene there continues to be an upsurge in data breaches.
Physical cyber security, data classification, authentication, authorisation, anti-malware and Data Loss Prevention (DLP) strategies are all essential elements in reducing the risk of data breaches. Modern IT departments have an arsenal of tools, from antivirus software to firewalls and intrusion detection systems. These tools predominantly focus on incoming threats, particularly malware. In reality, it is relatively simple for malware to circumvent AV or VPN, rendering them insufficient.
In 2022, 40% of breaches were identified by external parties, not the businesses themselves. An essential, often overlooked, element in eliminating data breaches is the monitoring of outgoing data and blocking data deemed unauthorised from leaving the confines of the business network.
This entails three crucial questions:
- Where is the data coming from? Is the application sending this data authorised, known and trusted?
- Where is the data destined? Is the destination of this data a known, trusted endpoint?
- How is the data being transmitted? Is the channel through which the data is being sent known and trusted? This includes channels such as VPN, TOR, torrents, etc.
By focusing on these crucial aspects, businesses can significantly enhance their defence mechanisms. Recognizing and addressing this often-neglected element can be the key to bolstering resilience against data breaches
TL;DR
In summary, data breaches remain a potent threat and can have global repercussions. A data breach is unpredictable, with real, far-reaching consequences.
No business is immune to data breach – if you possess valuable data, someone else likely deems it valuable too.
There are two categories of data at risk:
- PII (Personal Identifiable Information): This includes employee or customer data and breaches of this nature have a legal mandate for notification.
- IP (Intellectual Property): This includes business-critical data – financial details, client information, R&D, etc. The more reliant your business is on your IP, the greater the risk from hackers and state actors.
Data breach repercussions are profound: not only do breaches lead to financial impact in terms of remediation costs and eroded stakeholder trust, but they also cast a shadow on reputation, potentially translating into millions of pounds in lost revenue.
Cybersecurity tools such as antivirus software, firewalls, multifactor authentication, authorisation, and DLP strategies can reduce the overall risk of a breach. However, eliminating data breaches requires a holistic approach – round-the-clock outbound data monitoring coupled with geo-location tracking of data endpoints is imperative.
About the Author
Dr. Mark Graham has spent over 30 years, in various roles, in the cybersecurity arena. He studied for his PhD in malware detection in Cambridge, UK. He has lectured in Information Security, Cybercrime, and Pen-Testing. He is co-founder of ZORB Security which specialises in eliminating data breaches.