Data Breach Investigation Report Highlights Unencrypted Devices as a Major Issue

Posted: May 11, 2015

The 2015 Data Breach Investigations Report published by Verizon highlights lost and stolen devices that lack encryption as a major cause of data being compromised across all industries.

The report estimates a financial loss of $400 million from 700m compromised records – demonstrating the importance of managing data breach risks. Nearly 80,000 security incidents occurred in 2014, while more than 2,100 confirmed data breaches took place.

“Security incident” was defined in the report as “any event that compromises the confidentiality, integrity, or availability of an information asset, while a “data breach” was described as “any incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party”.

Threats and attacks were categorized into nine sections in the report: insider misuse, crimeware, cyber-espionage, denial of service (DoS and DDoS attacks), card skimmers, point of sale system attacks, web app attacks, loss and theft, and miscellaneous errors. Whereas the majority of reasons that a breach may occur focused on direct cyber attacks, the inclusion of theft and loss shows that while you cannot always prevent data breaches that happen as a result of human error, there are always measures that can be taken to prevent data being compromised after the loss or theft has occurred.

It came as no surprise that loss and theft continued to play a huge part in data breach risk. 55% of loss and theft breaches occurred within the victim’s work area, with 22% occurring in employee owned vehicles. Alarmingly, 15% of these incidents are still taking days to be discovered.

Analysis of the responses in this section of the report highlights that organizations failing to deploy encryption is still a major issue. Although the section of the report on loss and theft is comparatively less substantial than others, this isn’t to say it is any less important, with the report stating “the impact to an organization can be significant (if not equal to other data loss events) depending on the sensitivity of the data resident on the assets involved, and the controls that have or have not been implemented to protect the confidentiality and recoverability of the data”.

The report goes on to recommend that organizations ensure they minimize the risk of data breaches by using full-disk encryption, locking down USB ports, password protection, and enabling the ability to remotely wipe data to help prevent a breach in the event of a device being lost or stolen. Verizon also suggests regular auditing of staff and their devices to determine whether over time there is a pattern or behavior that needs to be identified and prepared for, as well as making it easy to report the loss or theft of a device – even going as far as to incentivize your workforce to report a data breach as soon as it occurs.

The Verizon report provides insightful information as to how and why cyber attacks are so prolific across all industry sectors. With a number of high-profile breaches in the last year, including the record breaking fines handed out by HIPAA, the Sony hacking, and the Anthem cyberattack, there is also a new bill that, if passed, will change breach notification laws across the whole of the US. It seems that finally, the issue of cybersecurity is beginning to be taken far more seriously.

At Scrypt, we understand the challenges that organizations face when it comes to keeping data safe over a number of devices, which is why we use military-grade encryption on all your documents – both at rest and during transmission. We also use multi-factor authentication, IP restricted access and role based permissions to ensure that even if a device should be lost or stolen, you can rest easy knowing that Scrypt will keep your sensitive data secure.

Get in touch with Scrypt today to find out how to avoid becoming another data breach statistic.