October is a busy month for cybersecurity. Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, with the goal of providing information and tools to protect individuals from online security threats. October brings hope, as The Cybersecurity & Infrastructure Security Agency (CISA) focuses on educating CISA partners and the public, delivering a wealth of information and best practices for good cybersecurity hygiene.
In contrast, as good is often overshadowed by evil, the Identity Theft Resource Center’s (ITRC) Q3 2022 Data Breach Report findings released in mid-October reveal that despite efforts to better understand cybersecurity, an increase in lack of information surrounding data breach notices are putting businesses and consumers at higher risk of cybercrime.
“The findings in the Q3 2022 Data Breach Report analysis reveal a lot of interesting information,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “Most notably is the continued increase in data breach notices that lack information about the cause of cyberattacks that result in data breaches. In 2019, the ITRC only recorded 19 data breach notices where there was no information about the cause of the cyberattack. From Q4 of 2021 to Q3 of 2022, that number has grown to 617, 37 percent of all cyberattack-related data breaches reported in the period.”
Other key findings in ITRC’s report include:
- There were 474 publicly reported data compromises in Q3, a 15 percent increase compared to Q2 of 2022.
- The year-to-date (YTD) number of compromises (1,291) is only 69 percent of the year-end total in 2021, making a record-high number of compromises in 2022 unlikely.
- Q3 2022 saw a 250 percent increase in supply chain attacks (1,280 entities impacted by 48 supply chain attacks) compared to H1 2022 (367 organizations affected by 44 attacks).
- Malware-based attacks (13 in Q3) dropped to the lowest number in 3.75 years. They have become increasingly rare as the number of related attacks has fallen steadily from a recent high of 39 attacks in Q2 2021.
Data Breach Costs and Concerns on the Rise
Perhaps the most interesting, or rather costliest, stat revealed in ITRC’s Q3 findings is that cyberattacks represented 88% of the reported data breaches – 419 breaches – with phishing attacks remaining the primary attack vector for the 15th consecutive quarter.
Hackers have cashed in on the vulnerabilities organizations and consumers face, making phishing attacks the costliest attack vector in 2022, averaging $4.91 million per breach in the U.S., as reported in IBM’s Cost of a Data Breach Report, 2022.
Additionally, the report reveals that attack vectors with longer mean times to identify and contain, such as phishing or business email compromise, were also among the most expensive types of breaches.
As ITRC’s findings show, lack of information surrounding cyber-attacks only exacerbate the mean time in identifying a breach, as well as the cost. As the U.S. tops the list for the 12th year in a row for the highest average cost of a data breach, more education is imperative in the fight against data breaches.
The Power of Educating People
Regardless of the type of attack vector, the goal of a hacker is to trick organizations and consumers into revealing sensitive and valuable data. CISA’s campaign theme for this year’s Cybersecurity Awareness Month, “See Yourself in Cyber,” demonstrates that although cybersecurity may seem complex, focusing on the “people” provides education and resources that help to ensure that all individuals and organizations make smart decisions to safeguard their data.
CISA created a toolkit to help all people and organizations learn the basics of cybersecurity, including tips on phishing, identity theft scams, mulit-factor authentication guides, passwords, cybersecurity at home, work and travel, reporting a cybercrime and more.
Education is key to fighting cybercrime, but hackers will continue to find vulnerabilities to steal sensitive data. The attack types may change, but data encryption and tokenization ensure that even if a hacker were to infiltrate a network, the data would be rendered useless.
Bluefin is the recognized leader in encryption and tokenization technologies to secure payment and sensitive data upon intake, in transit, and in storage. Our core security suite includes PCI-validated point-to-point encryption for contactless face-to-face, mobile, unattended and call center payments, and our ShieldConex data security platform for the tokenization and encryption of Personally Identifiable Information (PII), Protected Health Information (PHI), payment and ACH account data online.