Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Beazley Group

Breaches caused by either hacking or malware nearly doubled in relative frequency

Beazley, a leading provider of data breach response insurance, today released its Beazley Breach Insights 2016 findings based on its response to over 2,000 breaches in the past two years. The specialized Beazley Breach Response (BBR) Services unit responded to 60% more data breaches in 2015 compared to 2014, with a concentration of incidents in the healthcare, financial services and higher education sectors.

Key data:

  • Breaches caused by either hacking or malware nearly doubled in relative frequency over the past year. In 2015, 32% of all incidents were caused by hacking or malware vs. 18% in 2014.
  • Unintended disclosure of records – such as a misdirected email – accounted for 24% of all breaches in 2015, which is down from 32% in 2014.
  • The loss of non-electronic physical records accounted for 16% of all breaches in 2015, which is unchanged from 2014.
  • The proportion of breaches involving third party vendors more than tripled over the same period, rising from 6% of breaches in 2014 to 18% of breaches in 2015.

Beazley’s data breach statistics are based on 777 incidents in 2014 and 1,249 in 2015.

We saw a significant rise in incidents caused by hacking or malware in the past year,” said Katherine Keefe, global head of BBR Services. This was especially noticeable in healthcare where the percentage of data breaches caused by hacking or malware more than doubled

Ransomware on the rise in healthcare

Hackers are increasingly employing ransomware to lock up an organization’s data, holding it until a ransom is paid in nearly untraceable Bitcoin. Hollywood Presbyterian Hospital in Los Angeles reported suffering a ransomware attack in February 2016 and ultimately paid the hackers $17,000 in Bitcoin. A year earlier, the FBI had issued an alert warning that ransomware attacks were on the rise.

This trend is borne out by Beazley’s data. Breaches involving ransomware among Beazley clients more than doubled to 43 in 2015 and the trend appears to be accelerating in 2016. Based on figures for the first two months of the year, ransomware attacks are projected to increase by 250% in 2016.

Clearly, new malware programs, including ransomware, are having a big impact, said Paul Nikhinson, privacy breach response services manager for BBR Services. Hacking or malware was the leading cause of data breaches in the healthcare industry in 2015, representing 27% of all breaches, more than physical loss at 20%

Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record.”

Higher Education

Higher education also experienced an increase in breaches due to hacking or malware with these accounting for 35% of incidents in 2015, up from 26% in 2015.

Colleges and universities are reporting increased “spear phishing” incidents in which hackers send personalized, legitimate-looking emails with harmful links or attachments. The relatively open nature of campus IT systems, widespread use of social media by students and a lack of the restrictive controls common in many corporate settings make higher education institutions particularly vulnerable to data breaches.

Financial Services

In the financial services sector, hacking or malware was up modestly to 27% of industry data breaches in 2015 versus 23% in 2014. Trojan programs continued to be a popular hacking device.

An Insurers perspective of Cyber Crime

Beazley, an Insurance Company recently issued a press release on the threat to business from Cyber Crime. Their perspective supports those of the leading IT Security researchers.

Beazley quote some interesting research to support their release:

  • According to a survey by the Identity Theft Resource Center ® of 226 security breaches(1), 44 percent of the victims in the first half of this year (2011) were businesses with assets of under $35 million, which lost in aggregate 3.6 million customer records.
  • Verizon’s 2011 data breach report of 759 occurrences conducted in collaboration with the US Secret Service shows 63 percent of last year’s breaches involved organizations with no more than 100 employees.(2)

Beazley state that most small businesses currently go without insurance coverage due to a variety of misconceptions about the scale of the risk and the scope of their existing insurance protections.

Jamie Orye, an underwriter who manages the US Private Enterprise/Small Business Technology team for Beazley, said: “Cyber criminals view small businesses as easier targets than their larger, more technologically sophisticated counterparts. They have limited resources to protect themselves, and with more modest incomes, these small businesses have more to lose.”

Among the misconceptions frequently relayed to Beazley underwriters by small business owners or their brokers are:

  • The cost of responding to impacted clients is simply a postage stamp per breached record.
  • Our information is well-protected by our IT consultants.
  • Our employees would not act maliciously and know how to protect our data.
  • Security breaches are covered by our general liability policy.

Orye urges small business owners to talk to their brokers to ensure their coverage extends to cover notification costs, which general liability insurance typically does not. Notification costs can be heavy as they must meet the standards prescribed by a bewildering array of state and federal laws.

Firms should also have resources available to conduct proper forensic investigations to ensure they notify clients only when needed.

Orye gave a recent example of a professional services firm that had their server hacked. The firm spent $100,000 on notifying clients that their sensitive data – such as social security numbers – might have been exposed. However, the firm later discovered none of the exposed data fell into this sensitive category.

Firms should also realize they may not be off the hook for a breach just because their data storage and management needs are outsourced. They will need to find out if their IT service providers are covered for data privacy issues,” said Orye.

Beazley’s Reasearch Sources:

(1) The IDentity Theft Research Center can be found here. The quoted research was from 7/5/2011

(2) Verizon Research PDF can he found here.

Beazley’s website can be found here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: