Data Breach Digest: How your company can respond to new threats in the New Year
Each year we see massive changes in the cybersecurity landscape, from new threats to new regulations. And every year Experian takes a step back to analyze what risks are most likely to take center stage in the coming year. Our 2017 Data Breach Industry Forecast whitepaper available now examines five emerging threats that companies should actively prepare for in the coming months; however, we know that the threat landscape isn’t limited to these predictions and will evolve throughout the year. There were other security issues that we considered for our final five predictions and I’m sharing a few of these that were left on the cutting room floor for additional fodder. These issues will also surely shape the discussion in Washington D.C, and in the board room in 2017.
Looming Mega Breach
In 2014, several mega data breaches took the retail world by storm. Millions of payment cards were lost and cybersecurity took center stage in the minds of consumers and corporations. In the years since, other sectors, such as healthcare, have also suffered from targeted attacks (think Anthem and Premera Blue Cross). While there have been major username and password breaches in the last year, we haven’t seen more sensitive records lost at the level of previous years. But it is only a matter of time before another company is hit.
Like the major earthquake predicted in California, it is difficult to say exactly when it will happen or which sector will be targeted, but it is safe to say that it will involve a large amount of personally identifiable information.
While many companies are investing more in security, making the types of attacks that caused previous mega breaches less likely, the reality is that the ability to attack is outpacing the ability to defend. According to the RAND Corporation’s report, The Defenders’ Dilemma, attackers will always find a countermeasure for new defense systems, making it only a matter of time before attackers find new avenues to compromise highly sensitive information. The value of the information is too high for it not to eventually be the target of a sophisticated attacker.
Additionally, as digital transformation and data collection become the norm for business, the number of companies with large amounts of data is increasing, creating a greater number of targets for hackers.
The good news is that we have seen many companies develop response plans over the past three years. According to the Ponemon Institute, the percentage of companies with response plans rose from 61 percent in 2013 to 86 percent in 2016. However, a mega breach will strain even the best plan. To prepare for this, companies should ensure their plans consider emerging threats, are practiced on a regular basis and have buy-in from key members of the C-suite.
A Major Cloud Provider Will Suffer a Security Incident and Make Headlines
The cloud has changed the way companies do business, making it easier than ever to store large amounts of data, collaborate across the globe and scale services based on need.
While major cloud providers have invested heavily in security and are continually working to improve their systems, there are risks that come along with trusting another company with an organization’s most sensitive data.
As the number of companies using the cloud grows, so does the appeal for hackers. The massive amount of data stored in the cloud makes it a prime target. Data breaches of platforms like Adobe Creative Cloud and LastPass could just be the beginning. The Dyn DDoS attacks exposed a weakness in cloud security that could be used cripple the internet and cause significant disruption for businesses.
As companies prepare to work with cloud providers, they should understand how they will be notified of security incidents and how the provider will work with them if they lose the data or it becomes unavailable due to DDoS or ransomware attacks. Having clear contractual provisions on these items are important when negotiating the deal.
Major Security Issues Will Arise From the Internet of Things
In 2015, we predicted that the Internet of Things (IoT) would create a new platform for breaches, and while we may have been a little ahead of the times, we are beginning to see this threat takeoff. While we haven’t seen a major loss of data yet, the recent DDoS attack on Dyn showed the power of IoT to disrupt systems.
Corporations will continue to see security issues arising from IoT in 2017 as an increasing number of machines are connected to the Internet. These attacks will come in a variety of forms, but just as the Dyn attack used botnets, there is a good chance we will see similar techniques used to execute more DDoS attacks, as well as installing malware and ransomware.
Companies introducing IoT devices into corporate environments should ensure they have a cohesive and thoughtful plan in place for how they review devices. As companies adopt interconnected products and systems, they need to emphasize risk management and security among employees and third party vendors who have access to systems.
New Administration, New Congress, New Cybersecurity Policies
Cybersecurity was a major issue in this year’s election, from the DNC hacks to the presidential debate’s hot topics of discussion. This reflects our modern era, where the new administration and Congress must seriously consider both offensive and defensive strategies for protecting American citizens and corporations.
The new administration will likely place a large emphasis on shoring up the United States’ cyber defense and identifying vulnerabilities. In fact, the proposed cybersecurity platform during the campaign called for a Cyber Review Team to provide recommendations and establish protocol for cybersecurity awareness training by all government employees.
Congress will also continue to place an emphasis on the threats that face Americans. Despite Republicans normally being against regulation, cybersecurity has traditionally been an issue with support across the aisle. Consumer protection and privacy issues will likely be the continued focus of cybersecurity legislation; however, it’s unclear if it will gain traction given the many other priorities for Congress.
Just as companies are preparing to handle new international legislation like GDPR, they should be prepared to see new regulations in the United States as well, either on the state or national level. Working with the right team of experts to navigate these rules will help ensure companies are compliant with the varying regulations across the country.
While it can be difficult to keep up with evolving cybersecurity landscape, examining the emerging threats and understanding their implications can help companies stay ahead of the curve. There is no way to predict when we will see the next mega breach or what new regulations Congress will pass, however, companies can prepare for these by ensuring they are vigilant in updating and practicing response plans.
P.S. – As we move into the holiday season, fraud levels may increase. In the spirit of giving, I wanted to share some of tips for protecting yourself and your family this season. Learn how to stay safe at home, at the office and while traveling here. Happy holidays.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].