Cybercrime is rising…

California has in place relatively robust regulation on data privacy, with a statute in place since 2012 that businesses must report to the Attorney General’s Office any breach involving more than 500 Californians. With this data, Kamala Harris’s office published the California Data Breach Report this week. The results are sobering but not surprising. The increasing frequency and complexity of cyber attacks drove an unprecedented spike in the theft of Californians’ sensitive data.

Malware and cyber attacks dominate

Between 2012 and 2015, 657 data breaches accounted for over 49 million compromised records of Californians’ personal information. Malware and hacking represented the lion’s share of leaked data at 90% of records. This category of breach is also increasing in prominence, rising from 45% to 58% of all breaches. Hackers executed attacks on a new scale last year. Mega breaches at Anthem, UCLA Health, and Experian drove a huge increase in the number of Californians affected, from 4.3 million in 2014 to over 24 million in 2015.

Breaches stemming from insiders were also responsible for a significant amount of the damage. Although broken out separately in the report, breaches from malicious trusted insiders (misuse breaches, 7% of the total) and unintentional disclosures (breaches caused by errors, 17% of the total), accounted for 24% of all incidents. Organizations are rightfully concerned with risk from insiders since they bypass most preventative security controls.

Sensitive personal information pays hackers’ bills

 Not only were more residents victims of data breaches, but the most sensitive types of information made up the majority of stolen data. Breaches leaked 24 million records containing social security numbers and 18 million containing medical or healthcare information. Hackers are no longer content with low hanging fruit like online account credentials, which may be more carefully guarded than highly sensitive personal information. A medical record can be sold online for ten times the price of credit card information, offering a financial incentive for hackers to target healthcare companies.

It’s no wonder, then, that financial services and healthcare companies were the second and third most breached industries, respectively – and the Target breach was largely responsible for retail’s number one spot. While we expect financial services and healthcare companies to have the most security and control over customer and patient data, they are under constant attack from criminal hackers in search of the biggest possible payday.

Where do we go from here?

Consumers are will demand answers in the wake of the drastic increase in cybercrime incidents. The attorney general’s office offered a few specific suggestions for companies hoping to improve their information security, in addition to counsel laid out in the Center for Internet Security’s Critical Security Controls. 

• “Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.”

  This is absolutely a best practice for consumer and business applications. Unfortunately, not all applications support security controls like multi-factor authentication. In a traditional software application, multi-factor authentication can be hard to implement for an entire enterprise – yet another reason companies are turning to cloud applications.

• “Consistently use strong encryption to protect personal information on laptops and other portable devices, and consider using it for desktop computers.”

  Similar to the previous advisory, encryption is an excellent idea in theory but can be difficult to implement. Any time you encrypt data, it also becomes more difficult to access for end users. For example, the Office of Personnel Management claimed they were unable to implement encryption on their aged infrastructure. There have been advances in function-preserving encryption for data in cloud services. Encryption should be used in certain situations, but is not a silver bullet.

• My addition: Hire a chief information security officer (CISO). Data shows that companies with a CISO are more likely to be concerned about data loss and to have an incident response plan in place.

The broader economic trends underlying hackers are already changing the paradigm for information security. While companies were originally hesitant to move to the cloud because of security concerns, 64.9% of IT professionals now consider the cloud as having equivalent or better security than traditional software. There is now a push across industries – including from the US federal CIO –   to outsource facets of infrastructure and data storage to cloud providers in order to achieve better security. As the next wave of cloud adoption arrives, companies will be ready to progress to the next generation of security challenges.