After reaching an all-time high in 2013, the number of cyber cases in the United States dropped slightly in 2014, according to Advisen Loss Insights data, down to 1,740 from 1,864. This might be considered improvement, but the results may also serve to indicate the industries that are most susceptible to loss and the type of data that’s proven most appealing to criminals. 2014’s totals show that while cyber cases in most industries decreased, they rose, perhaps predictably, in the retail industry. And while most attacks in the past have been aimed at big businesses, data showed that, in 2014, smaller businesses fell prey to cyber attacks at a new and alarming rate.
Last year’s case count shows that cyber events show no real sign of returning to 2001 levels, when only 118 cases were reported. The increasing numbers may be a product of increased laws and regulations mandating reporting of data breaches, now up to 47 states in the country with specific requirements for organizations to follow. For the purposes of this graph, events represent reported cyber instances, while cases present a fuller view of events that lead to litigation, settlements, or continued investigation.
2014’s cases continued a trend we first noted last year of a higher number of cases involving digital data breach, loss or theft than system than cases involving system or network security violations. Advisen defines Digital Data Breach, Loss or Theft as a Digital breach, distribution, loss, disposal, or theft of personal confidential information, either intentionally or by mistake, in such a way to enable the information to be used or misused by another.
System/Network Security Violation or Disruption is defined as unauthorized use of or access to a computer or network, or interference with the operation of same, including virus, worm, malware, digital denial of service (DDoS), etc.
Also of note, privacy violations dropped in 2014, from 233 cases in 2013 to 192. This may reflect organizations becoming more aware of and accustomed to both state and federal privacy laws, which may also have had an impact on the number of cases related to improper digital data collection. And while cyber extortion cases comprise a miniscule portion of the 1,740 cases, they rose in 2014 and have become more of a focus with the rise of ransomware, as well as the wide-scale assault on Sony Pictures Entertainment’s computer systems.
In an interesting twist, identity theft cases reported dropped to 10 in 2014, down from a high of 105 in 2011. This trend could be related to the proliferation of credit and ID theft monitoring services that are provided to consumers following data breaches. It could also reflect greater consumer awareness in general of the delicate nature of personally identifiable information and the need for vigilance.
The broad “services” industry category, which includes healthcare, education, hospitality, etc., continues to be the most likely target for cyber attacks, followed by financial services, insurance, and real estate, and wholesale and retail. Advisen data show that across most industries, the number of cases dropped in 2014, apart from a slight increase in manufacturing-related cases and the aforementioned rise from 245 to 278 in the retail sector.
Last year’s data showed a continued rise in attacks against smaller businesses, with revenues less than $1 million. Businesses with less than half a million were most affected by this trend in 2014. Most attacks are still aimed at organizations with revenues over $5 billion, but cyber criminals have expanded their efforts against businesses of all sizes.
The above graph shows the distribution of cases across the United States, with the most populous states – California, New York, Florida, Texas – experiencing the highest number of cases, as in past years. Illinois and Washington follow closely behind. Georgia and Minnesota also showed higher numbers this year – both districts for major class action litigation against Home Depot and Target relative to the retailers’ high-profile data breaches. While the numbers range from 2,335 cases in California to 14 in North Dakota, the data show that no state went unaffected by cyber events in 2014.