Editor’s note: This is the first entry in a new monthly SecurityInfoWatch.com column series from Experian Data Breach Resolution Group Vice President Michael Bruemmer, CHC, CIPP/US, which will examine the latest data breach trends and the cybersecurity landscape as a whole.
Now that we are halfway through 2016 it’s safe to say that the volume, diversity and complexity of attacks facing businesses in all sectors are increasing at a troubling rate. This threat landscape is making it much more challenging for companies to be prepared to respond to emerging breach issues.
At the start of the year, Experian developed a forecast of breach trends that companies should look out for over the coming year, drawing from its experiences servicing thousands of breaches each year as well as insight from expert partners in the industry. Like Christmas in July, it’s important to re-examine these predictions, understand which are coming true and are of biggest concern, as well as share new issues that we’ve seen in the first half of 2016.
Along with being a great way to make sense of the major security news we see every day, a key part of effective breach response is being able to anticipate the emerging threats and effectively integrate them into the incident response process. The following reviews a few of our 2015 predictions to see how they fared and some fresh threats for businesses to consider.
EMV Chip and PIN Liability Shift Will Not Stop Payment Breaches
We predicted at the start of the year, despite all of the hype surrounding the liability shift with EMV chip and pin, payment-related breaches will still make headlines in 2016. This alarming trend has largely proved to be true with large national brands like Trump Hotels, Wendy’s and CiCi’s Pizza all announcing significant payments breaches in the first half of the year.
Why? Well it’s largely due to slow adoption of the new standard by many merchants, large and small alike, due to the cost of upgrading their equipment to accept the new chip cards and the potential to slow the check-out process for customers as they learn to use the new cards. According to a report from Boston Retail Partners, only 22 percent of merchants are ready to process EMV transactions. Or try this, next time you go to the mall, see how many times you swipe versus insert your card, assuming all your credit cards even have a chip.
Point being, any company that collects payments information should certainly consider adopting the new standard, but still be aware that payments breaches are likely here to stay and understand that new payment technologies are not a panacea.
The Healthcare Industry Will Face New Attacks and Stay in the Crosshairs
Over the several years that we’ve published predictions, the one that’s showed up every year and has proven true has been that healthcare organizations are a major target for attackers. There are several reasons for this continued focus by perpetrators:
- Valuable Data: Healthcare organizations typically collect and retain some of the most valuable information to cyber criminals, which can fetch much more money on the black market. In fact, studies have shown that medical records are about to pull 10 times the price of credit card information on the black market.
- Distributed Systems: The distributed nature of healthcare infrastructure and data significantly increases the attack surface for these records. Be it electronic health records needing to be sent to a variety of different providers or hospital networks, the potential for successful opportunistic attacks is higher than other industries.
One just needs to look at the Department of Health and Human Service’s “wall of shame” to see how frequent these attacks occur. Even more concerning, is the rise of ransomware targeting hospital networks and causing significant service outages, which we believe may continue.
Cyber Conflicts Between Countries Will Leave Consumers and Businesses as Collateral Damage
Attacks carried out by nation-state actors continue to grow as well as innocent citizens having personal information exposed due to attacks targeting the government. While the U.S. Office of Personnel Management hack last year is the highest profile example of this sort of attack, this trend has continued through the first half of this year.
There have been dozens of breaches with federal agencies from hackers leaking the Department of Homeland Security’s staff directories to the recent hacking of the Democratic National Committee’s servers. In fact, nearly 10 percent of all of the breaches my data breach resolution group has serviced so far involve federal agencies.
These attacks are also not limited to government targets. Businesses that control critical infrastructure or are doing business with the government are also being targeted by the same groups of highly sophisticated attackers. For businesses being targeted, it’s important that their response plans consider how they would respond and work with law enforcement as part of the investigation. Unlike traditional breaches, there is often a national security concern associated with these types of attacks, which necessitates collaboration with three-letter agencies.
Emerging Areas to Watch
The first half of 2016 has also presented several threats that companies must be on the lookout to address:
Phishing for Data (Not Malware): While spear phishing has long been a proven tactic used by attackers to get malware onto systems, we are now seeing attackers take a much simpler but highly effective approach to this age old scheme. Cyber criminals are using phishing to trick employees at companies into willingly sending sensitive data to them, without needing to actually hack their systems. This attack really took off the first quarter of the year when Human Resources professionals were targeted with a series of phishing e-mails that appeared to be coming from the CEO requesting that they send W-2s. While simple, this was highly effective.
There are going to be several other times in the year where we may see these type of attacks occur. For example, we are likely to see attacks on HR departments during the open enrollment period for healthcare plans. Effectively combating these types of attacks requires that companies devote more time and attention training employees. However, we’ve found only 43 percent of companies with data protection and privacy training program provide a basic security training course and less than half (49 percent) include phishing in it.
Username and Password Hacks Are Back in Style: While healthcare dominated the headlines in 2015, this year we’ve seen a resurgence of username and password hacks and subsequent selling of these credentials on the black market. From revelations that the LinkedIn hack from years ago was larger than originally believed to MySpace losing millions of previously stored credentials, I imagine almost every person has had a password exposed at this point.
The reason these attacks remain popular is because they can often be the gift that keeps on giving for the attackers because the reuse of the same or very similar passwords is so pervasive. I am willing to bet this problem is going to get worse before it gets better. While many sectors like banking are moving toward two-factor authentication, many others will not and we will remain vulnerable.
Corporate Extortion: I will leave you with one more trend to consider. By now, most readers have likely seen the increasing frequency of ransomware attacks targeting companies, but the problem is larger than many think. According to anti-phishing company PhishMe, 93 percent of the phishing e-mails they collected in March were ransomware attempts.
While ransomware has been around for some time, it was largely aimed at consumers and not designed to get itself on corporate networks, which are typically better protected. It seems that the potential profits provided by attacking corporate networks is worth the added effort it takes attackers. While the typical consumer ransom would be around $500, they can typically get upwards of $15,000 for an enterprise. Given the pervasiveness of this threat, it’s essential that this risk is incorporated into every incident response plan. You can learn more on ransomware and what to do about it in my next column.
It will be interesting to see how these and other threats play out over the rest of the year. The only thing that’s for sure is that they will inevitably evolve to always keep us on our toes and that many companies will no doubt be at the receiving end of an attack.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.