Researchers at HackNotice have found that the number of data breaches is increasing, while the number of breach notifications is declining, SecurityWeek reports. HackNotice analyzed 67,529 publicly reported breaches between 2018 and 2020.

“The interesting point here is the relatively small number of breaches, around 13.5% of the total, that are reported through official channels,” SecurityWeek says. “This has fallen from 25% at the beginning of the period analyzed.”

HackNotice’s CEO and co-founder Steve Thomas told SecurityWeek that this is probably due to the patchwork of different US state laws that allow up to a month before an affected company has to disclose a breach.

“There is no federal breach notification law in the US, so you have to go by the states,” Thomas said. “However, each state writes its law different[ly] and the laws allow the breached company 30 days or even more before they have to disclose. News outlets, ransomware, and defacement gangs end up disclosing before the official notice, so we are seeing market share being taken away from official disclosures.”

Thomas also said he believes breaches are on the rise because organizations are neglecting the human element of security.

“Hackers are winning the cyberwar, largely because they don’t target the infrastructure, but they target people,” Thomas said. “Phishing, credential stuffing, account takeover of personal accounts to get into business accounts… All the major attack vectors rely on the fact that average employees are not informed as to how exposed they are, and they value security much less than the security team does.”

Likewise, Alec Alvarado, threat intelligence team lead at Digital Shadows, told the publication that organizations need to pay attention to this crucial area of security.

“The bad guys are winning the war simply because they are sticking to ways that work and have proven effective,” Alvarado said. “The most robust security team with the most extensive cybersecurity practices and a multi-million dollar cybersecurity budget will fail with the single click of a well-crafted phishing email or a weak password.”

New-school security awareness training can create a culture of security within your organization by enabling your employees to recognize social engineering tactics and follow security best practices.