2018 was a mixed bag for information security. According to the Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report, there were fewer recorded data breaches compared to 2017, but there was a 126% increase in the number of breached records.
As you might expect, the business sector suffered both the most data breaches (571 of 1,244 total) and the highest number of breached records (415 million of 447 million). The healthcare sector was next in terms of breaches (363), while the government/military had the second-highest number of breached records (18 million).
ISO 27001 is helping
There are several concerning conclusions from the report, but let’s start with a positive. The decrease in breaches suggests that organisations are getting better at identifying vulnerabilities and addressing them promptly.
This practice is stressed in the international standard for information security, ISO 27001. The Standard outlines the importance of regular risk assessments, and of having an ISMS (information security management system) to manage data processing and information security practices.
With certification to the Standard becoming increasingly popular, it’s probably no coincidence that the number of data breaches has fallen.
Now the not-so-positive news. The report found that, when breaches do occur, more data records are put at risk. This can probably be attributed to the increase in incidents caused by unauthorised access.
In 2017, unauthorised access accounted for 11% of all breaches, which was the second most common type of breach after criminal hacking (59%). Those two categories again occupied the top two spots in 2018, but hacking comprised only 39% of incidents whereas unauthorised access jumped to 30%.
Unauthorised access describes a broad range of incidents with varying degrees of risk. For example, an employee who steals a colleague’s payslip has gained unauthorised access, but the breach only affects one person and a few data records.
However, if a member of staff breaks into the HR department’s files, they will have access to every piece of information the organisation holds on its employees.
In both instances, only one data breach has occurred, but the number of people affected is considerably higher in the second example.
The lesson here (besides the obvious statement that not all data breaches are equal) is that organisations must do a better job of protecting the biggest risks in their organisations. In most cases, insiders should be your top concern.
Preventing insider error
Unfortunately, protecting your organisation from employee mistakes or malice is the hardest part of information security.
ISO 27001 addresses the people problem comprehensively, providing solutions such as staff training, data protection policies and technologies to limit employees’ access to sensitive information. However, they take time to become effective.
Unlike technical vulnerabilities, which have clearly defined solutions, insider threats are hard to pinpoint and can only be mitigated by improving company culture. Employees must be taught the importance of effective security, learn to follow the processes you’ve implemented and understand the consequences of their actions.
Prepare for the threats of tomorrow
Staff awareness training will go a long way towards securing your organisation, and should be part of an overall security strategy. Employees follow management’s lead, so you need to demonstrate that you’re tackling information security across your whole organisation.
Take our brief self-assessment to determine how effective your existing measures are and find out what you can do to improve your information security posture.