Software Integrity Blog


2017 saw an increase in data breaches (and most were preventable)

A few reasons for the increase in data breaches: Attackers are getting better, tools are getting more sophisticated, and the attack surface is growing.

Increase in data breaches (most of them preventable) in 2017

For data breaches, 2017 was (no drum roll, please)…The. Worst. Year. Ever.

No drum roll needed, because there wasn’t even a shred of suspense about it. Just as it will be no surprise to learn a year from now that 2018 was the new worst year ever for data breaches.

A small flood of reports released this week provide plenty of depressing details. And although some of them differ wildly on the raw numbers, the consensus is that 2017 set a new record—by a lot.

According to the Cyber Incident & Breach Trends Report from the Online Trust Alliance (OTA), the number of breaches almost doubled from 2016. The Identity Theft Resource Center (ITRC) and CyberScout’s 2017 Annual Data Breach Year-End Review put the increase in data breaches at nearly 45%.

“Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society, in a press release accompanying the report.

The vast difference in the number of breaches—OTA reported an increase from 82,000 in 2016 to 159,700 in 2017, while ITRC reported a jump from just 1,091 to 1,579—is in large part because OTA creates estimates based on what it believes are the number of unreported incidents. But Wilbur also said OTA collects statistics worldwide, while ITRC focuses on the United States.

Vast majority of incidents go unreported

According to OTA, threat intelligence data indicates that “the true number of incidents is more than 30 times the number of reported breaches.”

Indeed, it says its own estimate likely reflects only half of all incidents: “Since most incidents are not reported to executives, law enforcement, regulators or the public, the actual number of harmful incidents could easily exceed 350,000.”

A third report, the 2017 State of Malware from U.S. security firm Malwarebytes, found that ransomware attacks against consumers increased by 93% and by almost that much (90%) against businesses.

And the key findings of the French multinational Thales, in the global edition of its 2018 Data Threat Report, were that 67% of global enterprises had been breached, with the United States exceeding the average at 73%; that 42% of those breached in 2017 had been breached in the past; and that a 79% increase in IT security spending didn’t even slow down the increase in data breaches.

Whatever the actual count, the trend is the same—a major increase in data breaches year after year. While that is offset a bit by a bit of good news—the Ponemon Institute’s finding that the average cost of a data breach incident worldwide in 2017 declined to $3.62 million, or by 10% from 2016—the United States bucked the trend, with a 5% increase to $7.35 million that put it at about double the worldwide average.

The OTA report noted the breaches that grabbed the most headlines: Equifax (personal, financial, and credit data on 145 million people), Uber (57 million riders and drivers), Verizon (14 million), and the announcement last year that all 3 billion Yahoo user accounts had been compromised in 2013.

But it said the growth in ransomware was particularly worrisome. Symantec estimated that the number of ransomware attacks targeting businesses nearly doubled from 2016 to 2017, and the FBI estimates there are now 4,000 ransomware attacks per day. A new form of ransom-based attack—ransom DDoS (RDDoS), in which attackers threaten a DDoS unless a ransom is paid—is prevalent enough to prompt a recommendation that organizations set up a digital wallet just in case, since most of the demands are for payment in Bitcoin.

The report also tracked business email compromise (BEC) and connected device vulnerability.

The stats from ITRC are mostly negative as well: Up to 14,207,346 credit cards were exposed in 2017, an 88% increase from 2016, and potentially eight times as many social security numbers were exposed in 2017 than in 2016.

Not all sectors saw an increase in data breaches

If there was any good news, it was that ITRC found “the medical/healthcare sector, educational sector and government/military sectors all reflected decreases in the percentage of data breaches from 2016 figures.”

But the mostly bad news is likely to continue. A couple of obvious reasons for the increase in data breaches are that attackers are getting better, their tools are getting more sophisticated, and the attack surface of devices and data continues to grow. But a major reason so many more breach attempts are successful is that victims don’t follow the security advice they have been getting for years.

Indeed, according to OTA, 93% of breaches could have been prevented “had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.”

In other words, more than 9 out of 10 organizations fall into the so-called low-hanging fruit category because they can’t or won’t implement basic security hygiene.

Why? Wilbur said some of it might be denial—the belief that a breach will happen to “the other guy.”

And it may also be the continuing perception that security costs money instead of saving it. “Part of what we’re trying to do in this report is raise the awareness not only of the magnitude of the threat but the impact of ignoring it,” he told Synopsys.

He said the report’s sections on the “economic value of readiness” and of changing regulations “highlight the real risks—financial, legal, and reputational—associated with ignoring best practices.”

Governments starting to ramp up pressure

And governments are starting to put more pressure on companies, not only to improve their security but to report when they have been breached.

“There is a clear trend toward tightening both the definition of a breach incident—the number of records, type of information, etc.—and the timeframe for breach notifications,” Wilbur said. “The European Union General Data Protection Regulation (GDPR) requirement, which takes effect in May, is 72 hours.”

So once again, while there is no such thing as bulletproof security, these basics ought to be mandatory and can keep your organization out of the low-hanging fruit category:

  • Conduct a complete risk assessment that includes internal, third-party, and cloud-based systems and services.
  • Patch, patch, and update. Always be running the latest version of your software.
  • Encrypt, encrypt, encrypt—end to end. Make sure you have secure encryption key management.
  • Don’t use devices, operating systems, and applications that are no longer supported.
  • Make sure devices and servers are configured.
  • Avoid business email compromise. Have spam blockers that keep out malicious.
  • Conduct regular security awareness training so workers don’t fall for phishing emails and other social engineering attacks.
  • Train employees in both physical and data security to avoid lost data, files, drives, devices, and computers.

I need a software security strategy


More by this author