Kapua Iao
Compromised employee accounts remain the most expensive problem for organizations hit by data breaches according to IBM Security’s Cost of a Data Breach Report 2020. IBM examines hundreds of cost factors related to legal, regulatory, and technical needs as well as loss to brand equity, customers, and employee productivity. Its findings demonstrate the importance of up-to-date user policies, employee awareness training, and email security.
Report summary
IBM’s study of over 500 organizations (and more than 3,200 security professionals from these organizations) took place between August 2019 and April 2020. Overall, cybersecurity incidents cost participating organizations an average of $386 million per breach. Eighty percent resulted in the exposure of personally identifiable information. And the more sensitive the data, the higher the costs. According to the report, healthcare organizations incurred the highest average cost of any industry at $7.13 million. Other key findings:- The use of smart technology can cut breach costs in half.
- Compromised employee credentials are the most expensive breach method, followed by exploited third-party vulnerabilities.
- The cost of mega breaches (records over 50 million compromised) soared by the millions.
- Compared to other threat vectors, nation-state attacks were the most excessive.
Employee compromised accounts
Within the IBM report, compromised credentials (and cloud misconfigurations) are not only the most expensive but also the most common type of data breach. Together, they represent 40% of malicious incidents. The IBM X-Force Threat Intelligence Index 2020 stresses that more than 8.5 billion credentials were compromised in 2019, a 200% increase from the year before. Methods to compromise employee accounts include:- Phishing emails and social engineering
- Malware/ransomware
- Human error
- Poor password practices
- Weak access/download policies
- Unencrypted email
- Unprotected storage
- Stolen equipment/devices
- Espionage
The healthcare industry
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). SEE ALSO: Is a Name PHI? This means shielding patients’ PHI from exposure. Unfortunately, the healthcare industry has seen numerous incidents this year, including:- Phoenix Children’s Hospital (phishing)
- Muskingum Valley Health Centers (ransomware)
- Samaritan Medical Center (malware)
