For the second year in a row, three industries again accounted for over two-thirds of all our client events: Healthcare (49%); Business Services, including Retail, Insurance and Financial Services (26%); and Higher Education (11%). In 2014, we saw an overall increase in malicious intent behind data breach events and a decrease in the human error causing these issues for our clients. Approximately 45% of data compromises we responded to this year were caused by a person or an organization attempting to cause some sort of harm to the organization attacked. This is a 10% increase over the previous year. The other 55% of cases involved non-malicious losses due to causes such as lost laptops, negligence, accidents, improper disposal, etc.
The increase in data loss tied to malicious intent was accompanied by a decrease in breaches caused by human error. While we don’t think that people learned to be significantly more cautious in 2014 as it relates to their data, awareness around data security has certainly helped. We’ve seen colleges and universities stepping up their risk assessment efforts, as well as evaluating their incident response plans so key employees will know what to do when a cybersecurity event occurs. One of the ways they’ve done this is through tabletop exercises running various security incident scenarios to test that policies and procedures are accurate and up-to-date. In addition, we have seen our clients put tools and protocols in place, such as data loss prevention, which has helped to catch human errors as they continue to happen.
Despite the increase in malicious breaches, overall only 18% were attributed specifically to hacking, which we define as an external party gaining unauthorized access to another party’s data systems. Surprisingly, in an industry-by-industry comparison of our clients, healthcare — as opposed to retail — led the way in hacking cases, with 30% compared to retail’s 18%.
Also of interest is the fact that business services saw its highest number of unauthorized access cases to date (27%), although this type of breach still continues to dominate in the healthcare sector (53%). As an example, it is not uncommon to see stories of hospital employees fired for violating access restrictions by viewing medical files of celebrities or high-profile patients, but stories of unauthorized access are not as prevalent in business services.
With retail data breaches capturing all of the media attention due to their scale, Kroll continues to see healthcare and higher education institutions as hotbeds of data security challenges as revealed by their data breach events. The big question is, why?
Here are some thoughts on that question. Both higher education and healthcare have massive amounts of information in their systems: grades, Social Security numbers, insurance information, medical diagnoses and bank account information. These organizations are treasure troves of diverse and valuable information for someone looking to sell data on the black market.
Both types of organizations are more vulnerable to outside access, given the way data is used and shared in relation to the type of services that they provide. And they are richer environments, given that the composite data found on individuals is more extensive than the details held by a bank or a retail institution. These combined attributes make these institutions prime targets for malicious insiders.