Beazley announces findings from analysis of 1,500 data breaches
Employee errors at the root of most data breaches, but breaches caused by malware or spyware prove more costly
San Francisco, 18 September 2014
Beazley, the pioneer in breach response insurance, today announced findings from an analysis of more than 1,500 data breaches at the International Association of Privacy Professionals' (IAPP) "Privacy Academy and CSA Congress."
Top insights from data breaches serviced by Beazley in 2013 and 2014:
- The two most common sources of breaches seen by Beazley are unintended disclosure, such as misdirected emails and faxes (31%) and the physical loss of paper records (24%), which is particularly prevalent among healthcare organizations.
- Breaches due to malware or spyware represented only 11% by number of breaches in 2013 and 2014, but they have been increasing, with the total number of breaches in this category growing by 20% between 2013 and 2014. Due to heavy forensics costs (money spent to find out exactly how the breach occurred) these breaches are on average 4.5 times more costly than the largest loss category, unintended disclosure.
"With more information being stored electronically and in the cloud, the risk of data breaches is growing," said Katherine Keefe, Head of Beazley Breach Response (BBR) Services. "Consumers expect their privacy will be protected, and a data breach can have serious reputational and financial impact."
The number of individuals affected by the data breaches Beazley has handled now exceeds 14 million.
The reputational impact of data breaches can be very severe. An Economist Intelligence Unit study conducted among consumers in 24 countries in March 2013 found that 18 percent of respondents had been a victim of a data breach. Of those individuals, 38 percent said they no longer did business with the organization 'because of the data breach'. A larger number, 46 percent, said they 'advised friends and family to be careful of sharing data with the organization'.
Beazley's BBR Services
"The majority of data breaches are avoidable with appropriate training and security measures in place," said Keefe, noting the particular need for encryption services for both large-scale computer networks and mobile services as a cornerstone of cloud security.
In the event of a data breach, reputational and financial impact can be minimized by a considered response. Beazley's BBR Services bring together a team of experienced legal counsel and IT specialists who identify where the breach occurred and how much data was compromised, and manage notification of customers affected.
"Understanding the cause and extent of the breach is a critical step in any breach response," stated Steve Visser, Managing Director, Disputes and Investigations Practice, Navigant Consulting Inc, a partner to Beazley's BBR Services. "We have seen companies react too quickly without fully understanding the breach. That could result in them misinforming their customers or the public."
Katherine Keefe and Steve Visser will be participating in a live step by step data breach scenario at the "Privacy Academy and CSA Congress", on Thursday, September 18, 11:00am.
In addition to releasing an analysis of 1,500 data breaches, Beazley released a top five list of ways to avoid data breach. The list can be found at the end of the release.
Data Breaches by Sectors Serviced by Beazley
Beazley provides breach response services to a range of sectors, with healthcare being the largest, followed by the higher education and the financial services sector. The companies benefiting from Beazley's coordinated data breach response services vary widely by size from sole practitioners in the form of individual physicians to large hospital systems and mid-sized retailers with revenues running into the billions of dollars. Beazley is also a provider of third party liability insurance for data breaches to many of the world's largest corporations.
Sources of Breaches Serviced By Beazley, January 1, 2014 - August 31, 2014
Beazley's Top Five Ways to Avoid a Data Breach
While data breach is on the rise, the majority of incidents are fully preventable. Here are Beazley's top five ways to avoid being caught out.
1. Encrypt your devices
- Over 73 percent of the breaches serviced by Beazley in 2013 involving portable devices could've been prevented if the devices were encrypted.
- Encryption is a safe harbor under virtually every breach notification law.
2. Automate patch management
- From 2013 to August 2014, Beazley has seen a 20 percent increase in breaches due to malware or hacking.
- Staying on top of the latest available software patches and moving to automated patch management can protect against a breach.
3. Enforce password complexity
- In 2014, the breaches serviced by Beazley due to hacking or malware cost 4.5 times more than the largest loss category (unintended disclosure).
- Computer systems can now systematically cycle through all permutations of potential passwords.
- Don't use "bad" passwords that are easy to crack ... dictionary words are capable of being deduced with an algorithm.
4. Be alert to phishing
- From 2013 to 2014, Beazley has seen a 10 percent increase in breaches attributable to someone inside the company, either an employee or contractor.
- Most breaches occur because of human error. Training is a critical step in breach preparedness. It is important to train employees to spot the indicators of a phishing email.
5. Double check before hitting send
- Thirty-one percent of the breaches serviced by Beazley in 2013/2014 were due to unintended disclosure.
- It may be simple, but double-checking the contents of a file, email address or mailing details can really save - especially when sending data to outside vendors.