As early as July, 2014 was already being called “The Year of the Data Breach”. Big brands like Home Depot and Target were the headliners, but they weren’t alone. Retailers and financial institutions of all sizes were combating cyber crime after cyber crime. Meanwhile, the healthcare industry suffered its share of incidents as well. In fact, 2014 saw the U.S. Department of Health and Human Services’ database of major breach reports (those affecting 500 people or more) surpass 30.1 million people.
The good news is that 2014 is over. The bad news is that in 2015, things could get even worse.
It seems that 2014 was more of “a sign of things to come” than it was “a moment in time.” This rings especially true for those of us who are safeguarding protected health information.
We have entered an unprecedented era where cyber attacks are becoming more frequent and more sophisticated with every passing day.
In a recent 60 Minutes special, FireEye CEO David DeWalt estimated that 97 percent of companies are getting breached, with hundreds of thousands of attacks happening on a weekly basis across the globe.
Retailers, banks and others are consistently increasing their spending related to security. They are trying diligently to prevent attacks. But in today’s environment, DeWalt believes that breaches “are inevitable.”
The burden that breaches place on the economy, individual organizations and consumers is significant. Widespread compromises of data are driving $11 billion plus in fraud each year. Just as costly is the fact that we are teetering on a crisis of confidence. Can anyone really protect sensitive data?
Given all this, should we just waive the white flag and surrender?
Obviously, the answer is no. While breaches may indeed be “inevitable” at the macro level, there are absolutely things that can be done to reduce the amount of breaches that occur, and to give your organization a better chance of not being part of the statistics. What’s more, the eventual damage a breach causes is highly contingent upon how well you respond to it.
Consider this scary statistic. From the time a “bad guy” hacks into sensitive data, it typically takes 229 days for the breach to be detected. 229 days!
DeWalt argues, as do we, that trying to prevent a breach is only part of what your organization should be doing. A comprehensive approach means that you are assessing your risk of falling victim to a breach, identifying ways to mitigate that risk from coming to life and appropriately planning for how you will respond if you do experience a breach. In other words, how are you assessing and managing information risk within your organization?
The criminals eventually are going to find their way into organizations.
So, the task at hand if you’re among the unlucky ones is to make sure the bad guys don’t gain access to your most important information, that you identify breaches much more quickly and that you stop the criminals from leaving with valuable information. In short, limit the damage.
The plain truth is that the year ahead promises more of the same. A cybersecurity war is being waged, and your data is at the center of it. Make sure you are prepared for battle. If you haven’t done so already, I’d encourage you to download Clearwater’s whitepaper explaining our Information Risk Management Capability Advancement Model. It’s a free resource, and it offers an extensive framework for determining how well you are equipped to manage information risks, and what steps you should consider in the year ahead to strengthen your internal programs.
Here’s to hoping 2015 is a breach-free year for you!