Evolving ransomware attacks, exploitation of vendor systems, and a rise in insider threats, to name a few—organizations are spending more money than ever on cybersecurity due to a record rise of reported company security breaches to 3,205 in 2023, up 78% from 2022, according to Identity Theft Resource Center research.
What’s behind the rise in company security breaches, and how can companies best respond? First, we’ll look at what a security breach is, common types, and guidance based on new cybersecurity rules and frameworks.
What is a company security breach?
A company security breach is any incident that results in unauthorized access to computer systems, networks, applications, networks, or devices which results in information being accessed, stolen, leaked, destroyed, or exposed without authorization. This information may include personally identifiable information (PII) like social security numbers, financial information, health records, or other sensitive data.
Company security breaches are on the rise
According to Statista, the number of data breaches in the U.S. has significantly increased, from a mere 447 in 2012 to more than 3,200 in 2023. In the same year, over 350 million individuals were affected by data compromises, including data breaches, exposure, and leakage.
The leap in company data breaches took off during the COVID-19 pandemic, when cybercriminals targeted victims in remote working environments, and cyber scams increased 400%.
Today, the most vulnerable sectors are healthcare, finance, and retail, and company data breaches have affected millions of patients, users, and customers each year. Healthcare data record breaches, for example, skyrocketed nearly ten-fold in the U.S. alone from 5.3 million in 2017 to 51.4 million.
What are common types of company security breaches?
The most common cyber-attacks used in company security breaches are highlighted below.
Stolen information
This type of company security breach can result from careless errors, such as an employee leaving a phone or file at a café and having it stolen. As just one example, Apple fell prey to a breach when a careless employee left a prototype of one of their new iPhones unguarded, and within hours, the yet-to-be-released phone specs had been leaked over the web.
Ransomware
In a ransomware attack, users get messages stating that the data on their devices are now encrypted, denying access to the data. You can only get your data back (and not release it to the public) if you pay the perpetrator a fee. Crypto-ransomware is the most common type; perpetrators encrypt the data, information, or files on the victim’s device. The 2017 WannaCry ransomware attack is one of the most notorious in history, targeting Microsoft Windows operating systems and affecting more than 230,000computers in 150+ countries. The estimated loss was $4 billion.
Phishing
Phishing attacks come from third-party hackers who create sites that look genuine. If you log in without realizing you’re not logging on to the real site, you may end up inadvertently giving your hacker your password! One of the worst phishing attacks in history involved Facebook and Google. Lithuanian Evaldas Rimasauskas stole over $100 million from the companies by creating a seemingly authentic forged email account with Quanta Computer, a business partner of Facebook and Google. By sending phishing emails with fake invoices to employees at these companies, they stole more than $100 million.
ILOVEYOU! Malware and viruses
Ever receive an email asking you to click on a link? This could be an example of malware, which is sent to people with the goal of wiping their computer of all data. One of the earliest forms of malware using social engineering, The ILOVEYOU computer virus attacked tens of millions of Windows personal computers, and is estimated to have caused at least $5.5 billion in damages worldwide!
Distributed denial-of-service (DDoS)
A DDoS company security breach tends to target larger organizations, and occurs when a highly coordinated attack is launched simultaneously from many sources. When systems are attacked, employees will not be able to sign into their work systems, forcing the company to (temporarily) shut down—on average, for 68 minutes. In recent years, Google, Microsoft, Amazon, and GitHub all have experienced DDoS attacks that highjacked their servers and systems.
Brute-force attacks
This type of company security breach is actually nothing more than password guessing. If your password is too easily guessable, like your pet’s name, it can be stolen. The perpetrator can then get into your system and find any type of sensitive information.
Insider leaks
Insider leaks cannot be overlooked as major source of company security breaches. In fact, 83% of data breaches in 2022 involved internal bad actors. The largest? To date? Between 1996 and 2006, an employee of Boeing stole $2 billion worth of aerospace documents and gave them to China.
Guidance on security breach response
As companies face increasing threats from malicious actors, cybersecurity has become an important agenda item for boards. Against this backdrop, several authoritative bodies have issued guidance on new cybersecurity reporting requirements and response guidelines.
Several notable ones are outlined below:
- In July, 2023, the SEC adopted rules on cybersecurity risk management, requiring publicly traded companies, along with foreign private issuers, to disclose material cyberincidents they experience. One of the goals of the rules, which took effect in September 2023, was to make companies more accountable to investors on how they manage their cyber risks.
- The updated National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, published in February, 2024, offers a playbook for incident response for organizations. The empowers organizations to understand, assess, and communicate about cybersecurity risks and response effectively.
- The FTC’s data breach response guide for business offers steps to take for those who have just experience a company security breach.
- Finally, it’s important to remember notification obligations to comply with U.S. data breach notification laws, which vary by state, following a company security breach.
Prepare for a company security breach, early and often
A well thought out plan is the best way to prepare and respond to cyber incidents–not only to meet regulatory compliance obligations but also to minimize negative impact to your brand and revenue. Organizations can implement strategies and best practices to plan for, and respond to, a cyber incident—from building the right team to regularly auding data retention policies, creating and testing tabletop exercises, and more.
UnitedLex can help organizations augment their cyber incident response by providing rapid insight into the potential severity, and quickly defining the extent of exposure and the obligations to the company, customers, employees, and third parties. Let’s talk.