In first nine months of 2014, after 1,922 confirmed incidents, criminals managed to compromise 904 million records. Many of the incidents reported in 2014 were record setting, including twenty of them that resulted in the compromise of more than a million records each.
In retrospect, it can be safely said that criminals have had a tremendous run this year. But will their successes lead to any actionable change?
Many experts agree that some change will come out of 2014's security nightmare, but 2015 isn't going to be a data security utopia - records are still going to be compromised, and criminals will still target the low-hanging fruit.
If anything, 2014 will be the turning point for most security programs, as executives start to see the value in protecting data first.
According to data given to CSO Online by Risk Based Security, nearly 85 percent of the records exposed in the first nine months of this year were due to hacking (external influence), accounting for 74 percent of the reported incidents.
Thus, this year's security problems have taught organizations a valuable lesson when it comes to protecting the supply chain and offering awareness training to staff and vendors. From Phishing to weak third-party access, criminals walked in through the backdoor, and out the front, with relative ease.
"Businesses today have a maze of complex dependencies on outside service providers and suppliers. This makes a complex attack surface, and that in turn makes defenses weak. The more complex our infrastructure, the harder it is for defenders to see it all and understand its weaknesses," commented Dr. Mike Lloyd, CTO at RedSeal.
Another lesson learned this year centers on keeping all of one's eggs in a single basket. As mentioned, twenty incidents reported in 2014 exposed one million records or more in each instance, but three of them resulted in the compromise of a combined 489 million records.
Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, said that the JPMorgan Chase breach was a perfect example of how the damage from an incident can be reduced by segmentation.
"Attackers were able to steal millions of customer's personal information such as names, emails, addresses, etc. However, they were unable to steal the actual financial data. That kind of data was hidden away behind another layer of security and one that was apparently impossible for attackers to get to," Kujawa said.
"If all organizations used practices similar to that, then regardless of a breach, there would be a lot less damage in the aftermath."
But, added Dr. Lloyd, while segmentation has been seen as a good idea for decades, it's something that's always been "nice-to-have."
Sign up for Computerworld eNewsletters.