Web application compromise, a major culprit in the Equifax incident, is the number one breach type in the finance industry this year and a growing trend, according Cambridge, Mass.-based BitSight.
In a new report from the security ratings firm, researcher Ryan Heitsmith noted, "September marked a month of heated discussion concerning data privacy issues, with continuing coverage in the media regarding breaches at major, global institutions."
BitSight considered the types of breaches experienced by the finance sector over three years of data to determine whether web application compromise is on the rise as well as the impact of these events. In 2017, web application compromise overtook all other breach types, making up a significant 33% of events experienced by the finance sector. "These events result in greater information loss and reputational damage than other breach types observed by BitSight," Heitsmith stated.
Recommended For You
The report revealed during the same time, employee error and privilege abuse trended in the opposite direction, meaning that the threat landscape shifted from events caused primarily by internal actors to those caused by someone external to the company. This finding is important, but it still leaves out the size of the breaches or their effect on a business.
The September Equifax breach alone accounted for over 145.5 million pieces of personally identifiable information compromised, which pulls the sector mean into the millions. "We have observed the huge reputational damage that results from these large publicly-disclosed incidents. In contrast, privilege abuse and employee error typically result in small compromised record counts and insignificant reputational declines," Heitsmith said in the report.
Findings in the finance sector:
- From Jan 2015 – Sept. 2017, the overall leading cause of breaches (38%) is human error.
- 2015 leading causes: human error (51%), privilege abuse (13%), web apps (8%).
- 2016 leading causes: human error (35%), DoS (14%), web apps (11%).
- 2017 leading causes: web apps (33%), human error (21%).
Heitsmith added, as the risk of breach increases, it's more critical than ever organizations be aware of their own security posture as well as the vulnerabilities in their supply chain.
The findings suggested financial organizations should focus on implementing training and controls that limit the damage done by a poorly equipped security infrastructure or disgruntled workers. "By doing so they might expect to reduce their risk of all breaches by almost half. However, we know that the data breach landscape is not static, and that the relative frequency of these event types has changed over time."
BitSight used breached record count as a proxy for the severity of a security event. Web application compromise had the highest median record count (3,475) in the finance sector for all breach types except for unsecured databases. It is also the category with the highest mean record count due to the prevalence exerted by a few massive data compromise incidents.
The new study looked at incident classification patterns and median record loss in the finance industry over the past three years. Data, based on one of the industry's largest breach databases, which BitSight compiled by sending thousands of Freedom of Information Act Requests throughout the US, as well as leveraging a combination of public and licensed data sets of data breaches. Classifications include: crimeware, DoS, error, lost/stolen asset, POS, skimmer, unsecured database, web apps, other, and unknown.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
