For hackers, large-scale data breaches such as the ones that befell The Home Depot, Neiman Marcus, and Staples in 2014, are gold mines. On the dark Web, where hackers trade the fruits of their labor, credit card numbers can sell for $10 to $25 each. Social Security numbers, especially when paired with other personal information, such as names, addresses, email addresses, employment records, and birth dates, can fetch between $250 and $400 each.
For businesses, keeping that kind of valuable customer data out of the hands of cyber-thieves is a constant battle. Companies need to be right 100 percent of the time, safeguarding against every possible vulnerability across their entire infrastructure. Hackers only have to be right once to get in and do some serious damage.
If those odds don't sound very promising, it's because they're not. The deck is definitely stacked in the hackers' favor. Unfortunately, this is the world in which we live.
In 2014, the total number of reported data breaches in the United States hit a record high of 783, averaging about 15 per week, based on information compiled by the Identity Theft Resource Center (ITRC).
The 2014 total, which potentially left hundreds of millions of customer records exposed to hackers, represents a 27.5 percent increase over the number of reported breaches in 2013 and an increase of 18.3 percent over the previous high of 662 breaches in 2010, according to ITRC data.
"There's a lot more breach activity going on than companies are aware of," says Eva Velasquez, president and CEO of the ITRC. "There has been significant growth in the number of breaches. Businesses are constantly being assaulted by hackers."
Companies, on average, can expect to encounter 17 malicious codes, 12 sustained probes, and 10 unauthorized access incidents each month, according to research from the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy.
Despite the growing number of attacks, many companies are still not doing nearly enough to secure their customers' personal and financial information, experts contend.
"There are tremendous resources that companies could use to protect customer data, but they don't," says Thomas Loeser, a former federal cyber-crime prosecutor who is now a partner at Seattle law firm Hagens Berman. "Some companies are making hundreds of millions, if not billions, of dollars, and they spend a paltry amount on data security. There's no question that there's much more they could be doing."
For many companies, the wake-up call only comes after they've fallen victim to a large-scale, high-profile breach. "A lot of companies tend to downgrade the risk until it's too late," says Larry Ponemon, chairman and founder of the Ponemon Institute. "The general view is that there is a risk, but [business leaders] are not assigning it the appropriate level of importance."
To make matters worse, a report released by the Ponemon Institute in February uncovered "a lack of resources and a critical disconnect" between chief information security officers (CISOs) and senior leadership that Ponemon's chairman says is preventing companies from adequately addressing growing cyber-security threats.