New Data Breach Trends: Small Business Identity Records Now Target #1 for Hackers
A new report by leading cybersecurity and intelligence firm 4iQ is providing the tech world with some eye-popping perspective. The company’s comprehensive study of data breach incidents in 2018 indicates that these attacks were up by over 420% from 2017, exposing a total of almost 15 billion identity records. Personal identifying information in these records included credit card numbers, bank accounts and email addresses.
While the study did not unearth a significant amount of previously unreported data breaches, it is unique in encompassing all known incidents from a broad variety of sources – both the “open” and “deep” web, the “dark” web and similar underground information black markets, discussion forums and social media platforms.
This study is of particular interest to small businesses, because it confirms that they are now the favored target of cyber criminals. Data breach incidents had been trending slightly in that direction prior to 2018, but we now know that small businesses are being targeted much more frequently than previously thought and that even relatively tiny businesses are now on the menu for sophisticated hackers.
4iQ counted 12,440 new breaches in 2018, which was an increase of 424% over the known breach count in 2017.
A total of 14.9 billion identity records were found to have been exposed during the year, up from 8.7 billion available in 2017. Of these, 3.6 billion were exposed for the first time in 2018 – that is to say, the same records had not already been available through any previous breach. About three billion of the total came from the combined top 10 largest breaches in the world, but many more were the result of many smaller-scale breaches of small businesses.
The biggest trend contributing to these increased numbers in 2018 is the appearance of “combo lists.” These mega-lists draw together data from previous breaches into one massive but relatively easily searchable file. In addition to making identity records more accessible for attackers that may not have encountered them before, these combo lists also sometimes make public information from a data breach that was previously only in a few select hands.
The average size of a data breach (in terms of number of identity records compromised) actually decreased just a bit from 2017, down 4.7% to an average of 217,000 per breach. While that might seem like good news at first reading, it’s the opposite for smaller businesses – it means that criminals are shifting their attention to smaller targets.
Across the board, small businesses tend to have easier security to crack than their larger counterparts. This has been true for almost as long as the internet has been available, but hackers have historically tended to focus on the bigger targets due to the ratio of effort and risk to reward.
While larger businesses have been hardening their defenses, smaller businesses have had a tendency to believe that they are beneath the radar of hackers. This happens with troubling frequency even when that particular business has suffered a data breach in the past.
