A record-setting number of companies and other entities last year found themselves dealing with their data compromised in one type of cyberattack or another, according to the Identity Theft Resource Center’s annual report.
The ITRC recorded 1,862 “data compromise” events in 2021, up 68% from 2020 and 23% over the previous high of 1,506.
Although the number of individuals affected dropped 5% to nearly 294 million, the number of events involving loss of sensitive personal information (e.g., Social Security numbers) increased slightly.
“We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud,” Eva Velasquez, ITRC president and CEO, said. “The number of breaches in 2021 was alarming. Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud. There is no reason to believe the level of data compromises will suddenly decline in 2022.”
The type of events that gave rise to data compromise continued to evolve, with ransomware-related data breaches doubling year-over-year in both 2020 and 2021. Ransomware was once thought of as a data encryption event rather than data loss, but ITRC predicted that, at the current growth rate, ransomware will overtake phishing as the top cause of data compromise in 2022.
According to the report, attacks on suppliers or vendors rose in 2021 — up to 93 events from 69 in 2020.
Topping the list of supply-chain events in 2021 was the Blackbaud ransomware attack. This attack, which occurred in 2020 and affected 480 entities, impacted another 122 entities and over 254,000 individuals in 2021.
Malicious cyberattacks were most frequently the root cause of data compromises and were responsible for 1,613 breaches or exposures. These attacks involve phishing, smishing, business email compromise (BEC), ransomware, malware, zero-day attacks, credential stuffing, and other attack methods. Human and system errors remain an issue, accounting for 179 events in 2021, according to ITRC.
The ITRC advocated for more effective laws and regulations to better protect victims of identity fraud.
“Our current legal, regulatory, and policy frameworks at the state and federal levels of government do not adequately address the growing and evolving threats that data breaches represent to individuals, organizations and society as a whole,” Velasquez said. “It is not the ITRC’s purpose or place to name and shame organizations that have experienced a data compromise, but we do advocate for solutions to these issues.”
Cyber Security Checklist
Securing cyber coverage for your business or organization used to be easy. Not any longer. Insurers today want to know you’ve taken steps to protect yourself from cyber criminals. Here’s a list of 10 items you’ll want to do to win the best terms and price:
- Use multifactor authentication for everyone with remote access to your system as well as when sending funds to third parties.
- Provide regular phishing/social engineering training for employees.
- Use Privileged Account Management to help detect unusual behavior on your network.
- Use Endpoint Detection & Response (EDR) software.
- Use SPF, DKIM and DMARC to protect against email phishing campaigns.
- Use a protective DNS service to block dangerous sites and filter out unwanted content.
- Use next-generation antivirus (NGAV) software to protect all endpoints across your enterprise.
- Put into place software and operating system patch update protocols.
- Allow connections to your network only from computers running Remote Desktop with Network Level Authentication.
- Utilize a Security Operations Center (SOC) tool to monitor your network 24/7.
The Mahoney Group is one of the largest independent commercial insurance and employee benefits brokerages in the U.S. For more information, contact us online or call 877-440-3304.
This article is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.