Much like police officers follow the clues to find the culprits and arrest them, Cyber investigators must follow the breadcrumbs to identify the source of a data breach and measure the scope of data impacted.

But that’s only part of the job. And hopefully not the most frequent one!

More proactively, and once again much like police forces, the role of the IT security department within an organization is to prevent incidents – here a data breach, in order to protect the information and the organization itself.

For this purpose, most IT security departments leverage a variety of technical responses available to them:

• Data masking so that sensitive information is not available to every user


• Access governance to ensure that users are adequately authorized by their roles and profiles and that permissive accesses are reduced


• Secure logons with password policies for instance. Indeed, what’s the point of having security tools in place if people still use “123456” as the key to access the (information) safe?


• … and more!

In order to be efficient, IT security departments must know what they are up against and here’s where databases such as the Gemalto’s Breach Level Index can be as useful as the police archives for investigators.

In case you haven’t yet come across it, the Breach Level Index “is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted.” Unfortunately, the site has been relaunched at the end of 2019 and the data breach library is currently not accessible so only the final report outputs are now available. Hopefully it will be brought back to the site in the future.

Findings from the Breach Level Index

 

Since an image is worth a thousand words, I was lucky enough to download the information before the site revamp and I have decided to leverage the raw data and try and flesh out the information and identify patterns.

Note: the extent of some data breaches is unknown or undisclosed so there are no values or risk scores associated, but I have kept these breaches so as to help identify most common root causes by occurrences.

Also, there is one certainty: this list is not exhaustive. Some breaches might not have been reported and some might even still be unidentified.

Sum of Data Breaches and Associated Risk Scope per Industry



Source: Breach Level Index, Gemalto, November 2019

From the graph above, it appears that technological and social media companies with many individual personal information have been most subject to data breach events. The size of the block relates to the extent of data compromised and, the color reflects Gemalto’s Risk Score. This assessment is a way of classifying the severity score for each breach, to distinguish between data breaches that are “not serious versus those that are truly impactful”.

Looking at what has driven most breaches, it seems that "Identity Theft" is the most common type of incident, and that within this typology, "Malicious Insider" is the prevalent source. As most Cyber analysts have been warning for quite some time, the insider threat is the most difficult one to control and to mitigate:

Most Prevalent Types & Sources of Breach per Industry



Source: Breach Level Index, Gemalto, November 2019

Last but not least, since the data base also provides the location of the breach, I crossed this information with the average risk score. Notice that there is no information on many of the countries, but this simple map clearly indicates that there is no safe haven:

Average Data Breach Risk Score by Country



Source: Breach Level Index, Gemalto, November 2019

What to do?

 

In my opinion, this data base helps highlight that Malicious Insider is still to be considered very seriously even if technological responses are in place. Nevertheless, there are 2 types of insider threats: erroneous or with malicious intent. The database doesn’t provide information as to what was the intent behind the breach, but one thing is certain: the consequence is negative regardless how you look at it.

As with fraud, cybersecurity is a difficult battle since companies are up against very imaginative and clever individuals or organizations.

I don’t think there is perfect answer for this threat, but I do believe that companies can implement some steps to get on the right track:

• Rate the criticality of the information if accessed without your consent, rank your data protection needs, institute a classification system from “Public” to “Confidential” and ensure it is understood and applied consistently


• Map your assets (location, intent), document the dependencies, describe the accesses and authorizations structures and regularly update this risk context


• Identify and document the threats (including by leveraging databases such as the one described in this blog), apply a root cause approach, assess all impacts (not just IT!), document and roll-up the risk chain to get a complete picture and report on the real exposure of each vulnerability


• Implement a sound access governance process with distributed policies, test your defense system, internally and externally and regularly review roles and authorizations


• Track pattern to identify breaches as they occur, have an incident response process, share with peers and exchange information, realize operational tests of data breaches and continuously challenge your security organization

Of course, I don’t claim that this will be sufficient. Cybersecurity is a multifaced function, that requires all actors in the chain – from internal stakeholders such as employees to external parties such as suppliers that can have access to some part of your system, to take part and act responsibly. Nevertheless, I hope this at least helped in providing some suggestions.

What about you, does this resonate with your own experience? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard