In 2014, mega-breaches sadly became the norm and we -- whether consumers, employees, or IT managers -- were in a never-ending cycle of resetting passwords. These notices were always accompanied by reminders to use stronger passwords and to make them unique across all your apps. From Sony to Home Depot, we recently shared a list of the world’s biggest data breaches in 2014 with Re/Code. Let’s take a further look now.
With an ever increasing need and number of security solutions available, it’s clearer than ever that organizations need to carefully prioritize their 2015 security initiatives. So to help, we’ve pulled together a few insights based on these major breaches along with some suggestions.
Sony was not the known biggest “data” breach of 2014
Like snowstorms, every data breach is unique. It’s not always the amount, but the type of snow (or in our case, data) and accompanying conditions that determine how it actually affects you. In terms of news coverage, cost, and brand damage, Sony wins (or loses depending on how you see it) hands-down. In terms of record count and data affected however, Sony only ranks as the 33rd largest data breach of the year. Instead, eBay takes the “largest data breach of 2014” award with more than 150 million records compromised. At the end of the day though, whether 10 records or 10 million, it’s not how big of a breach that’s important, but rather the impact to your business, customers, and employees that matters.
2014 data breach trend: size (of company) doesn’t matter
An important trend we noticed from 2014 data breaches is that small and medium-sized businesses (SMBs) have increasingly become major targets for cyber criminals. Since security is often a lower priority and typically higher cost initiative for these businesses, hackers consider them soft targets and seize the opportunity to attack systems of SMBs. Criminals might just steal the data and sell it, but in many cases, the criminals have attempted to extort money. Worse still, credentials stolen from SMBs have also become a way of gaining access into their customers, including bigger corporate systems (e.g., Target, Home Depot). So a breach at your organization might not put you in the top 10 or 100 for data record count in 2015, but the impact can still incapacitate you and your customers.
Unfortunately, this has lead to some organizations learning the hard way about why they need to enforce stricter security controls for their third-party partners and vendors. Manage third-party risk before their issues become your own, and identify those that could have the greatest impact upon you. All relationships are not equal, and neither should the controls you use to protect you and your company, so focus your efforts on those that can do the most damage.
Many organizations struggle with the human side of breaches
You can look up how you are supposed to manage a security incident in a number of different guides and standards. Additionally, most states now have passed security breach notification legislation, and depending upon industry and type of data, there may be specific rules you have to follow. What’s missing from all of those mechanical processes, however, is how to clearly and efficiently communicate with those you have just impacted.
The Sony hack -- and the resulting employee lawsuits -- are good examples of how messy things can become and how important communication and appropriate handling of those impacted is after a breach. While the lawsuits might have been inevitable and Sony performed within the requirements dictated by law, they did not go anywhere beyond to try to make things right. Breaches are rough and they tend to happen to everyone in varying degrees eventually. But treating breaches as a purely tactical security and compliance issue, and not addressing the more human, emotional side, can lead to additional and unnecessary damage.