The Identity Theft Resource Center creates an Annual Data Breach Report and the results are fascinating!
There has been 1,093 breaches in 2016, that’s about 3 a day.
It should be noted that data breaches are not all alike. Security breaches can be broken down into a number of additional sub-categories by what happened and what information (data) was exposed. What they all have in common is they usually contain personal identifying information (PII) in a format easily read by thieves, in other words, not encrypted.
The ITRC currently tracks seven categories of data loss methods:
● Insider Theft ● Hacking ● Data on the Move ● Subcontractor/Third Party ● Employee Error/Negligence ● Accidental Web/Internet Exposure ● Physical Theft
The ITRC currently tracks four types of information compromised:
● Social Security number ● Credit/Debit Card number ● Email/Password/User Name ● Protected Health Information (PHI)
For the eighth consecutive year, hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5 percent of the overall number of breaches.
Why is that though? Most companies have some sort of user awareness training. Many people though, think that training is a waste of time, or it sucks or it is boring. Also, most companies don’t have dedicated security awareness staff. Out of most security models and frameworks, if you really look at them, you’ll notice that many domains have their own dedicated staff, then for security awareness, it’s just a shared responsibility that staff may give 10% of their time to if nothing else comes up. Is that the right answer to solve this “going on 9 years” growing problem?
Maybe it should be that the real problem is a behavioral employee problem and not just a security team’s partial problem. HR, training, corporate communications and Information Security need to handle this problem. It’s a team effort!