To no one’s surprise, 2023 brought more challenges to data security and privacy. According to Forrester’s Security Survey, 2023, 77% of security decision-makers experienced at least one data breach at their firm over the past 12 months. After a retrospective review of the largest publicly reported breaches and privacy violations of the last year, we found that:
- Three industries accounted for 80% of the top breaches. Public sector, education, and healthcare accounted for 43% of the top 35 breaches that we identified. This is not unexpected, with 2023 being earmarked by the MOVEit vulnerability, impacting countless (mostly healthcare) organizations. Financial services and insurance accounted for 23% of the top 35 breaches, while utilities and telecommunications accounted for 14%.
- The usual social media giants were fined the heaviest. Meta appeared three times in the top five fines, with two of the violations due to a lack of transparency in its data processing procedures. TikTok was hit with two of the top 35 largest fines this year, one of which was the second largest overall. Both of TikTok’s fines involved improper processing of children’s data.
- EMEA still outpaces other regions for handing out the largest fines, but NA is catching up. We found that the Europe, Middle East, and Africa (EMEA) region levied out 54% of the top privacy and data fines this year. North America (NA) was not far behind, handing out 43% of the largest fines in 2023. Many of the fines in NA were levied out due to a failure to maintain an adequate security program.
So what can security, privacy, and risk professionals learn from these trends? A few key takeaways:
- Protect and inventory your software supply chains. Visibility into the software and components that make up your software supply chain is the first step to securing it. When purchasing software, ask for a software bill of materials from your supplier. Organizations must use a “defense in depth” strategy by utilizing application protection software in production, such as a web application firewall or API security solution that can be configured to block malicious traffic in the event of a zero-day.
- Technical skills are great, but leaders need to focus on soft skills, too. Regulators are pushing for greater transparency. They’re making it easier by incentivizing security leaders to act in the best interest of customers — and themselves — with the threat of legal action. A breached organization’s actions and communications following a breach help set the tone for recovery and rebuilding of customer and public trust. Mishandle this critical part of response, and not only will it fuel reputational damage but will also invite greater scrutiny from regulators and individuals impacted by the event.
- Data breaches cause real-world harm. Operational technology environments are no longer air-gapped from corporate networks and the internet, exposing them to direct attacks and incidents that cascade from IT environments. These cyberevents not only cost money by disrupting business operations but also endanger the environment, jeopardize employee and customer safety, and interrupt critical public services. In these emergencies, response accuracy and speed are crucial to keeping employees and customers safe and ensuring business continuity.
For more of the important trends from 2023, read our report, Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2023, and register for our upcoming webinar here.
(written with Danielle Chittem, research associate)