Security media is pervaded by seemingly ever-increasing and ever-worsening reports of data breaches at businesses ranging from your mom-and-pop corner store to large retail and internet giants. But how accurate is the perception that breaches are on the rise? Are more security events actually happening, or are we simply observing increased compliance with strengthening reporting requirements? More importantly, can companies learn from these incidents or are businesses doomed to repeat them?
Commonly cited datasets lend support to the idea that the raw quantity of data breaches is increasing year over year. According to a report released by the Identity Theft Resource Center and ID theft protection firm CyberScout, breaches were up 29% for the first half of 2017 compared to the same time period in 2016. Both parties speculate that this trend could continue, culminating in over 1500 unique events - a record-setting amount. This increase would be in keeping with recent trends. In 2016, Privacy Rights Clearinghouse (PRC) categorized 51% more events than in the preceding year and appears to be on track to collect even more in 2017.
However, the simple fact that more breaches are reported year over year may only be telling us part of the story. A 2017 paper by Bisogni, Asghari, & Van Eten compares the distribution of data breaches to an iceberg where the public is only made aware of the surface events that are reported to an authority (such as a state Attorney General’s office) or captured in the news. The researchers divide the remaining events into three distinct categories: those that are notified to customers but never reported publicly, those that are detected but never notified, and those that go undetected. Part of the responsibility certainly lies with organizations to detect that they have been breached and then move an incident through the enumerated stages, culminating in public disclosure.
This process is hampered by the patchwork of Data Breach Notification Laws (DBNL) that exist in the US. While only Alabama and South Dakota lag behind with no DBNL on the books the rest of the states have enacted laws with diverging provisions related to everything from whether a breach has to be reported to a central authority to whether companies can forego reporting if they determine that a significant risk of consumer harm does not exist. Many of these provisions have an impact on whether an event will ever see the light of day. For example, those states with a risk of harm exemption report 21% fewer data breaches than those with no such provision. With increased standardization and perhaps even a federal statute security events stand a better chance of seeing the light of day.
One of the objectives behind DBNLs is to give breached companies additional incentive to improve security practices lest they be named and shamed again. Buckman, Bockstedt, Hashim, and Woutersen (2017) attempted to determine whether this was actually the case by applying a hazard model to the PRC breach dataset. This technique is commonly used in epidemiology to determine how long a population is likely to go before experiencing a specific outcome. Their study looked at a population of companies that had experienced at least one data breach and identified the factors that made an organization more likely to be breached again by incorporating industry, DBNL provisions, and the incident fact pattern. The results indicated that companies in the education industry were less likely to experience multiple breaches and therefore could expect a longer duration between separate incidents. Companies with an initial data loss incident caused by an unintended disclosure were more likely to experience a second breach of any type, making up nearly a quarter of the multiple breach dataset.
When one digs deeper, it becomes clear that simple increases in incident reporting do not tell us the whole story. Not all data loss is detected and even less makes its way to the surface due to the many gaps that exist in the framework of data breach notification laws. Furthermore, a complex set of factors determines whether a company that is breached once learns from the incident or is fated to experience multiple attacks.
Security professionals must avoid the fatigue and resignation that follows seeing breach events constantly splashed across the headlines and engage with the research. We should actively support and call for policies (both corporate and political) that encourage transparency when dealing with these events. More data will improve our understanding of the risks of operation in the increasingly connected world and encourage companies and the academic community to generate more actionable insights.