Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Report: Companies should be more vigilant about protecting data and stopping attacks
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Although cyberattacks are becoming more complex, according to
Verizon’s recently released
2015 Data Breach Investigations Report, hackers are continuing to use “decades-old techniques such as phishing and hacking” in order to access information.
The report also points out that scores of existing vulnerabilities remain because available security patches were never applied or because businesses never knew a hack occurred. “In fact, many of the vulnerabilities are traced to 2007—a gap of almost eight years,” according to a press release about the report. “As in prior reports, this year’s findings again pointed out what Verizon researchers call the ‘detection deficit’—the time that elapses between a breach occurring until it’s discovered.”
This is the eighth year Verizon has published a data breach report. For the report released in 2015, researchers analyzed
more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents. The report states that the estimated financial loss was $400 million from 700 million compromised records worldwide.
Seventy percent of the cyberattacks used a combination of hacking and phishing and involved a secondary victim.
In 60 percent of breaches, cybercriminals were able to compromise an organization within minutes.
Yet, the report points out, many cyberattacks could be thwarted if organizations paid more attention to their cybersecurity efforts.
“We continue to see sizable gaps in how organizations defend themselves,” said Mike Denning, vice president of global security for Verizon Enterprise Solutions. “While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases.”
“Network security is now only effective 24 percent of the time, because in 76 percent of cases, hackers are getting access via lost credentials, stolen credentials, weak credentials, etc.,” Naresh Persaud, senior director of Oracle’s security product marketing, told
Forbes online. He and other experts say companies must be more vigilant when it comes to network security, especially since more employees are accessing the Web for work than ever before.
Conversely, CompTIA, a nonprofit trade association for IT professionals, says 52 percent of all breaches are due to malice or human error. The rest are a result of technology mistakes. Research from the SANS Institute reaches the same determination—that employee negligence is a huge cause of data breaches, as is social engineering (phishing).
Experts say companies need to train their employees not to click on suspicious links.
The 2015 report includes a first-time summary of the Internet of Things technologies. In some cases, hackers used devices connected to the Internet to insert botnets—a network of compromised private computers that have been infected with malicious software and controlled without the owners’ knowledge—for denial-of-service attacks.
This data reaffirms the need for organizations to make security a high priority when rolling out next-generation intelligence devices, the report states.
The Cost of a Breach
Verizon security analysts used a new assessment model for gauging the financial impact of a security breach, based on the analysis of nearly 200 cyberliability insurance claims, according to the press release for the Verizon report. It goes on to say that “The model accounts for the fact that the cost of each stolen record is directly affected by the type of data and total number of records compromised, and shows a high and low range for the cost of a lost record (i.e., credit card number, medical health record).
“For example, the model predicts that the cost of a breach involving 10 million records will fall between $2.1 million and $5.2 million 95 percent of the time, and, depending on circumstances, could range up to as much as $73.9 million. For breaches with 100 million records, the cost will fall between $5 million and $15.6 million 95 percent of the time, and could top out at $199 million.”
“We believe this new model for estimating the cost of a breach is groundbreaking, although there is definitely still room for refinement,” Denning said. “We now know that it’s rarely, if ever, less expensive to suffer a breach than to put the proper defense in place.”
Just as in 2014, researchers discovered that there are nine basic patterns that make up 96 percent of security incidents. Companies can focus their security efforts on these nine patterns: miscellaneous errors, such as sending an e-mail to the wrong person; crime ware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.
Employers Must Be Proactive
Researchers at Verizon said the longer it takes companies to discover a data breach, the more time attackers have to wreak havoc.
In more than one-quarter of all breaches, it takes the victim organization weeks, or even months, to contain the breaches, according to the report.
Researchers said companies should:
Make people their first line of defense.
Only keep data on a need-to-know basis.
Encrypt sensitive data.
Use two-factor authentication.
Remember physical security.
“This report should not be viewed as a game ender but rather a call to action for all of us (consumers, businesses, government and media) that we are way past midnight when it comes to the need for best practices, threat assessment sharing, and zero tolerance of those who refuse to do what must be done to protect our privacy and security,” Adam Levin,
founder and chairman of IDT911, a provider of data risk and identity management services, told
SHRM Online in an interview via e-mail. “We can no longer humor those who would play fast and loose with the protection of our personally identifiable information."
Over the past 10 years, Verizon’s reports have addresses more than 8,000 breaches and nearly 195,000 security incidents. Verizon was among 70 global organizations that contributed data and analysis to this year’s report.
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.
SHRM’s HR Vendor Directory contains over 10,000 companies