Monday03 October 2022

As Data Compromises Rise will Companies Change Practices to Meet Them?

Reading time is around minutes.

The latest report from the ITRC (Identity Theft Resource Center) has been released and it shows us some sadly unsurprising data. According to the report, 2021 data compromises are up 68% (1,862) compared to 2020 numbers and 23% higher than the highest year on record 2017 (1,506). The report adds that compromise of sensitive personal data is also up but has not topped 2017 as the record year for that type of data loss. Attack trends have changed slightly with attackers appearing to target specific data rather than just trying to dump everything. This has led to an overall reduction in the total number of actual victims while the number of repeat victims is still very high.

Outside of alarming numbers the report also provides some data that can be used in a proactive manner. By identifying what types of attacks are becoming more common, the report gives clear areas for improvement. For example, ransomware attacks have doubled year over year for the last two years. Analysts expect this trend to continue, making ransomware attacks the number one attack type by the close of 2022. Cyber-attack related breaches accounted for more data compromises than all the data compromises in 2020. All business verticals and sectors saw an increase except for the military (there were no “disclosed” incidents). The report also revealed that more and more organizations are electing to hide the root cause of incidents (another sad item).

Overall the report indicates a low level of readiness for an attack across most business verticals. While no one was truly prepared for the events of 2021 when the pandemic hit, there is simply no excuse for not aggressively adapting to meet the shift in the threat landscape and protect personal information properly. The fact that ransomware attacks are increasing year over year shows that no one is listening as security researchers explain that legacy anti-malware software and practices are just not enough. There must be a shift in how things are done. Organizations must adapt their practices to include a distributed work environment and they must do it now or 2022 will be even worse than 2021.

The manufacturing and healthcare industries need the most adjustment. Here we see an almost obstinate attitude towards security and vendors tend to control that attitude. In both manufacturing and healthcare, it is not uncommon to see hardware and software that is end-of-life and end-of-support still actively running and exposed to attack. The use of modern anti-malware agents on these devices is, often, not possible due to their age or sensitivity. Even when the software is new(ish) anti-malware agents are discouraged due to their potential impact on the endpoint in question. It is a security nightmare to be perfectly honest.

Other business sectors should be paying attention though and need plans to adjust to these new trends. Changing out older systems and adapting policies is not easy, but it is something that must happen. New and more modern preventative software and polices should go into effect as soon as possible. A focus on anti-malware and data loss will help reduce the threat of ransomware if it covers all endpoints properly. These came changes can also have a positive impact on exposure to cyber-attacks as well.

The report has some staggering numbers that, given the state of organizational security, is not surprising. Despite warnings and the obvious trends in attacker frequency and targeting we still see a rather lax attitude towards actual security measures. There has been an increase in the purchase of breach/incident insurance though. This trend is the most concerning to me. It shows a frustration on the part of organizations, so they buy a way to manage the financial impacts rather than working to identify and remediate security problems in their environment. This is a trend that we have been tracking for a few years and one that I am not happy with. Insurance does not protect the people that are impacted, it only protects the financial interests of the people running the organization. The lack of transparency would seem to support this new trend as well, by hiding how the incident occurred companies may feel they are hiding security weaknesses. However, from a consumer perspective it just makes them look like they are hiding incompetence.
2022 could be a transition year for security. It is up to businesses to determine what type of transition it is though. Will we see a vigorous response that drives down the number of data compromises? Or will we see more CYA responses while ignoring the actual problems and putting more and more people’s data at risk?

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.