Security analytics firm Risk Based Security has released its 2018 year end report on data breaches, and it’s not all bad news. The number of publicly disclosed breaches has fallen slightly since 2017, though only by 3.2%, the report found.

What’s more impressive is the decrease in the number of exposed records, which was down by 35.9% from 7.9 billion to only 5 billion.

Despite that decrease, Risk Based Security said, reports continue to trickle in and 2018 may end up eclipsing the high water mark set in 2017.

What, if anything, has changed?

Despite slight improvements from 2017, many metrics relating to data breaches remain unchanged.

The number of days it takes for an organization to report a breach has, on average, diverged little: In 2017 the aggregate was 48.6 days, and in 2018 it only ticked up by a single day to 49.6. That’s still a vast improvement from previous years, however: In 2016 the average was over 60 days, in 2015 it was 70, and in 2014 it took most companies 90.9 days to report a breach.

SEE: Information security policy template download (Tech Pro Research)

The total number of breaches exposing over 100 million records was consistent as well: There were 12 breaches of that magnitude in 2018 and 13 in 2017. The majority of breaches exposed less than 10,000 records, and externally-originating hacking attacks were the most common source of breaches, the report added.

One change the report noted was in the type of attack that exposed the most records, with web-based breaches reclaiming the top spot from hacking attacks. Web breaches include improperly configured databases and other forms of attacks that take advantage of publicly exposed records.

As for who is most at risk for a breach, businesses located in the United States should take caution: The US was the target of 2,264 successful breaches last year, making it the leading country by an absurd margin, while the United Kingdom, at no. 2, only suffered 144 breaches.

The sectors being targeted for data breaches are led by three groups: Finance and insurance companies, health care organizations, and public administration/government entities. Those three sectors combined were the victims of of 43.4% of all data breaches.

How should businesses respond?

Yes, there was a slight dip in the number of data breaches from 2017 to 2018, and there was an even greater drop in the number of stolen records. That’s really good news for businesses who have been stepping up their security practices and treating user records like the invaluable data they are.

Such a small decrease shouldn’t make businesses complacent. The year 2018 is still the second most active year on record, and could surpass 2017 in short order.

Web-based attacks are also at their most popular, and they remain a serious security risk for lots of organizations. Take steps now to protect your company from data breaches–better to prevent a disaster than become a data breach statistic.

The big takeaways for tech leaders:

  • The number of data breaches in 2018 decreased by 3.2% from 2017, while the total number of records stolen decreased by 35.9% over the same time frame. — Risk Based Security
  • Web-based attacks, which rely on poorly configured security or exposed records, were the most popular way for attackers to steal data in 2018. — Risk Based Security