We covered four breaches on the Down the Rabbithole (DtR) newscast this week (listen here). While it started with a brief discussion of Target, three of the breaches were new, and they spanned industry and size of organization.
In Into the breach (link), I wrote about breach as a symptom. Now we see evidence of a widening gap between the perception and reality of data breaches.
Organizations continue to believe they are neither targeted nor likely to succumb to attack. They delude themselves into thinking that either they can invest enough to prevent breaches or their profile keeps them under the radar.
The operating reality of breaches is no longer if, but when.
The reality: when breach happens to you
According to Thomas Reagan, the Large Risk Underwriter for Beazley’s Breach Response Insurance, the number of reported data breaches is on the rise. This includes the over 500 data breaches they handled in 2013.
Reagan explained that “organizations have not fully come to grips with the reality that it’s not if, it’s when. There’s still this notion that they can prevent breaches from happening, or this doesn’t apply to them. That they’re not an organization in the crosshairs.”
Newfound awareness and reporting
While the number of reported breaches is increasing each year, Reagan pointed out that it is too soon to tell if the overall rate (percentage of companies experiencing data breach) is increasing.
Perhaps some of the rise in reported breaches is the result of reporting laws coupled with advances in detection (and knowing what to look for). As a result, more breaches are discovered and reported; it may not mean more breaches are happening.
Data breach is becoming a part of the daily landscape. No longer a surprise, the growing value of data helps explain the interest from attackers.
The proliferation of data
Over the last two decades, the cost of storage decreased as the ease of collection increased. Data abounds and that means anyone and everyone is a target.
Organizations of all sizes struggle to categorize, store, and handle information. It's a growing business with a lot of potential. Attackers see the potential, too. Their investment is on how to find, extract, and exploit the data.
The road ahead
It's time to encourage a shift in thinking. We need to close the gap between perception and reality. Breaches are the reality. Organizations of all sizes need to consider and act accordingly.
We need to continue to explore and discuss where the harm really is (link to engage). Ultimately, it leads to different ways of thinking about and protecting information. It means organizations need to consider how to implement Minimum Viable Security.
We need more transparency. That likely means changing the nature (and perhaps the liability) of companies ability to describe what happened. Instead of mocking and castigating mistakes, the challenge is to draw on what happened to improve the fate of others.