The threat level has never been higher for any organization. As recent headlines attest, no company, organization or government agency is immune to targeted attacks by persistent, skilled adversaries. Their unprecedented success has led many to question the efficacy of solely prevention-focused countermeasures. Rather, there is recognition that a more modern approach includes a multi-layer strategy in which early detection, attack containment and recovery measures are considered together. Having processes in place to detect, mitigate, respond to and remediate the impact of such attacks is imperative for all organizations from startups to global enterprises.
For the past several years we have proclaimed the previous year as the “year of the breach,” overtaking prior years in the numbers and impact of breaches. 2015 was no exception. With a 23% increase vs the prior year, 2015 broke the previous all-time record, set in 2012, for the number of reported data breaches.1 In the first half of 2015 more than 245 million data records were stolen every day, equivalent to 16 records per second.2 This trend is continuing with the Identity Theft Resource Center reporting 2016 year-to-date breaches are up nearly 24%.3 Further, over the past ten years the type of data stolen and how it can be used indicates increasing sophistication – from 2007 theft of TJX Companies’ credit card info; to 2011 breach of Sony business data; to 2014 attack on JP Morgan and other banking data which was used to manipulate stock prices; to the 2015 OPM breach which included fingerprint data.4
2015 made its mark not only in absolute numbers but, equally as troubling, in the expanded scope and impact of breaches and exploits. Victims included nearly every segment of the population including consumers, government employees, and children. Going beyond credit card data, recent breach targets have included insurance, medical, voter and political interest data. Few were spared and the collective impact of breaches will not be known for years to come.
The Office of Personnel Management (OPM) breach contained over 21 million records including security clearance applications with social security numbers, employment history and fingerprints, placing government employees and contractors at risk far beyond that of a typical credit card compromise. VTech, a multinational toy company experienced a breach impacting 6.3 million children, including their names, home addresses, passwords, and even selfies and chat logs.5
In the mobile sector, a T-Mobile breach exposed some 15 million customers, in another incident 70 million inmate phone calls were compromised, putting at risk attorney-client privilege, and the infamous Ashley Madison breach impacted 37 million “socially active” adults.6 7 Topping the charts was the Anthem breach of 78.8 million records.8
The year ended with the disclosure of over 191 million American citizens’ voter data including their political party affiliation and voting record. Combined, these paint a comprehensive picture of a user’s interests, motivations, and personal views on a range of personal and sensitive subjects and are the path to identity theft and socially engineered exploits targeting both personal and business data.9
Beyond Consumer Data
What is not revealed in these and other headlines is the increased focus on (and success in) targeting businesses and their proprietary and confidential data. With increased precision through the use of micro-targeted spear phishing and malvertising, there is a growing ability to compromise higher net worth entities including professional services organizations and their respective C-suite.10 According to the U.S. Federal Bureau of Investigation, since January 2015, Business Email Compromise (BEC) scams designed to socially engineer the employees of a business increased 270%.11 Such malicious emails are sent from domains which closely resemble a known domain and/or forge the “from” address of a known sender and typically not covered by insurance companies.12
Virtually all industries are being targeted – from legal and accounting to architectural and engineering firms. Moving past credit cards, cybercriminals are increasingly obtaining proprietary business data and / or client records and deploying ransomware and cyber blackmail. Ransomware took the number two “crimeware” spot for 2015.13 Criminals are holding data hostage, or alternatively threatening to expose data, attempting to extort millions of dollars from companies who wish to avoid the risk of public embarrassment, data destruction and loss of intellectual property.14
With the increased rise in ransomware over the past six months targeting health care providers and professional services firms15 it is clear that criminals are increasingly learning the value of the data and the impact to a business. Recent ransom demands have shifted from opportunistic extortion to one of market based extortion or “cyber-surge pricing.” Leveraging users’ data posted on social media including Facebook and LinkedIn, has increased the ability for hackers to successfully create socially engineered exploits targeting high net-worth business victims.
Raising the complexity and business risk are the far reaching changes in the legal and regulatory framework. October brought the end of 15 year Safe Harbor agreements with the EU, bringing forward the proposed replacement EU-US Privacy Shield.16 In December the European Union passed a far reaching EU General Data Protection Regulation. This directive unifies the legal framework across the 28- member European Union, bolstering European’s privacy rights including strict data collection regulations and fines of up to 4 percent of a company’s global revenue.17
Currently the U.S. Federal Communications Commission has proposed new reporting requirements including reporting to itself as the regulatory authority, to law enforcement and to consumers. While focused on ISPs and mobile carriers, this proposal may accelerate the development of national breach laws. (See Regulatory Landscape on page 38)
Consumers are increasingly concerned. According to a 2015 survey from the Pew Research Center, 93% of adults say that being in control of who can get information about them is important. Further, 90% say that controlling what information is collected about them is important; 88% say it is important that they not have someone watch or listen to them without their permission. Most troubling is that only 9% say they are “very confident” their credit card data will stay private and secure. Combined, these are key reference points for all organizations to consider when amassing consumer data.18
Since OTA’s first report in 2009, we have learned that no organization is immune. As larger quantities of diversified data are amassed and the reliance on third party service providers increases, every business must be prepared for an inevitable loss of data. The facts highlight the need for startup and global enterprises to shift attitudes and make data security and privacy part of every employee’s responsibility.
OTA’s analysis of publically reported breaches for 2015 revealed 93% were avoidable. 15% were due to lack of internal controls resulting in employees’ accidental or malicious events and 65% the result of actual hacks. The balance of incidents were primarily attributed to lost or stolen devices (4%) and fraud (5%). Lost, stolen, or misplaced documents accounted for 4% of all incidents.
Key avoidable causes of data loss incidents include:
- Not patching known / public vulnerabilities.
- Misconfigured devices / servers.
- Unencrypted data and/or disclosed keys.
- Use of end of life devices, operating systems and applications.
- Employee errors – lost data, files, drives, devices, computers, improper disposal.
- Accidental disclosure via email, posting on public sites.
- Business Email Compromise & social exploits.
The Impact of a Breach
The impact and resulting costs can be staggering to a business and its ability to remain solvent. According to the Ponemon Institute’s 2015 global breach survey, on a global basis the average cost of a breach was $3.8 million, with a cost of $154 per individual record lost or compromised.19 The post breach impact on a company’s customers can also be significant, ranging from the legal and regulatory costs to damaged brand reputation with resulting consumer abandonment and lost sales.
Small and large companies alike run the risk of a data breach, and the implications of a breach to the organization can be grave. The business shock of a breach can be compounded by the lack of accurate reporting of an incident, compromising an organization’s integrity and trust. Combined, the lack of planning and adequate security and privacy practices can significantly harm a company’s brand, increase liability exposure, and engender a negative impact to a business’ bottom line.
Often overlooked is the impact on business relationships and contracts with third parties. For instance, an incident can bring negotiations to a grinding halt and derail a merger. Companies need to understand the contractual obligations of their customers, partners and service providers, which may include penalties, right to audits and related downstream effects. An internal review and inventory of all contracts is highly recommended, calling out notification and security requirements. Such third-party clauses may include audit provisions and other remedies to be paid by the businesses experiencing the loss. This information needs to be incorporated into an organization’s communication plan as part of their overall incident response planning.
While businesses may be aware of the threat, they are not necessarily equipped to respond effectively. Businesses must acknowledge that company-wide panic and disruption can occur. Viewing breaches as a “technical issue” belonging to the IT department is a recipe for failure. Instead, businesses need to recognize that every department within an organization needs to play a part in readiness planning, starting with responsible data privacy and collection practices and extending to the security of its own systems as well as those of its vendors. Those that prepare in advance will not only be postured to survive a data breach, but also are more likely to retain a positive reputation with their customers.
Not only must companies be prepared for a breach, but they must also have a plan to appropriately analyze vulnerabilities reported by external researchers and others. As observed with Snapchat in early 2014, the lack of a process to appropriately respond to a reported vulnerability damaged their reputation and opened them up for potential lawsuits and regulatory scrutiny. Having a mechanism to review and respond to vulnerability reports is now considered an essential part of an organization’s security strategy.20
These trends suggest a need for increased adoption of responsible privacy and voluntary security best practices, broader transparency and more detailed reporting requirements.
As a result of the increased sophistication and tenacity of international crime syndicates and state sponsored attackers, combined with the proliferation of data stored on mobile devices, OTA expects the number and severity of breaches and resulting identity thefts will continue to grow.
OTA advocates that every organization handling data, ranging from email addresses to more sensitive PII, create a data lifecycle management strategy and incident response plan that evaluates data from acquisition through use, storage and destruction. A key to a successful data lifecycle management program is balancing regulatory requirements with business needs and consumer expectations. Success is moving from a perspective of compliance (the minimum of requirements) to one of stewardship, where companies meet or exceed the expectations of consumers. Consumers very often expect security even if they don’t explicitly ask for it, and are surprised when breaches occur and their security expectations are not met.21
What Have We Learned?
Breach incidents are a wake-up call for all organizations, whether they are non-profits, governmental agencies, or companies with proprietary and employee data. While a compromised credit card amounts to an inconvenience, the consequences of other breaches can be much more significant. Looking ahead, we anticipate data analytics will play an increasing role in helping identify and raise the alarm in discovering a threat. Such tools can provide visibility into what a threat is doing, where it’s leaving the network and what data is being removed or modified. There are several key lessons to keep in mind.
1. There needs to be a critical shift in attitude regarding roles and responsibilities of data stewardship and security. The emphasis is moving from an IT focus to a company-wide issue.
2. Data is often a company’s most valuable asset and, as a result, requires the appropriate level of protection and care.
3. The level of data security you apply must be commensurate with the data held. In other words, the level of security in place should reflect the potential risk and damage to consumers and to the company should that information be inappropriately accessed.
4. Only collect and retain data that has a business purpose. Protect it while it’s held, and then delete it when it’s no longer needed. Criminals cannot steal or hold hostage data you don’t have.
5. All businesses need to think about the consequences of a data breach and what could happen. It’s dangerous to think you aren’t going to be a target. Consumer, employee and corporate data is a valuable commodity. When combined or appended with other breached data, it increases in value.
6. Security and privacy are not absolutes and must evolve. Organizations need to regularly review how they store, manage and secure their data. A plan needs to include prevention, detection, notification, remediation and recovery processes and operations.
7. Security is beyond your walls. As more businesses rely on cloud services and third-party providers, a risk assessment must be conducted prior to usage and on an ongoing annual basis. Supplier risk management isn’t a one-time event. It needs to be done repeatedly before a contract is signed, and regularly after the contract is signed. Management teams should ask for regular (weekly, monthly, quarterly or annual) reports from vendors specifying their internal data security processes, data removal methods, tools and technology implementation and documentation.
8. Being prepared is not just for Boy Scouts. An incident plan needs to incorporate both disaster planning and training to help prevent, detect, mitigate and respond. Just like first responders, employees must be trained, equipped and empowered to deal with a data loss incident. Planning is the key to maintaining online trust and the vitality of the Internet, while helping to ensure the continuity of business.
Endnotes
1 Risk Based Security https://www.riskbasedsecurity.com/2015-data-breach-quickview/
3 Identity Theft Resource Center http://www.idtheftcenter.org/images/breach/ITRCBreachReport2016.pdf
4 See Dark Reading c3139c124&elq=a0d4e980f13a42a28b6eeb8336e8e9c3&elqaid=69649&elqat=1&elqCampaignId=21003
6 70 Million Inmate Calls http://www.slate.com/blogs/business_insider/2015/11/12/anonymous_hacker_released_70_million_jail_calls_indicating_routine_violation.html
7 Ashley Madison breach http://www.forbes.com/sites/thomasbrewster/2015/07/20/ashley-madison-attack/
8 Anthem breach http://www.computerworld.com/article/2888267/anthems-now-says-788m-were-affected-by-breach.html
9 Voter Data http://www.forbes.com/sites/metabrown/2015/12/28/voter-data-whats-public-whats-private/
10 Malvertising typically involves injecting malicious or malware laden advertisements into online advertising networks and webpages.
11 FBI press release https://www.fbi.gov/cleveland/press-releases/2016/fbi-warns-of-rise-in-schemes-targeting-businesses-andonline-fraud-of-financial-officers-and-individuals
12 BEC fraud http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/
13 Verizon Data Breach Investigation Report 2016 http://www.verizonenterprise.com/verizon-insights-lab/dbir/
14 2015 Ransomware trends http://www.darkreading.com/endpoint/2015-ransomware-wrap-up/d/d-id/1323424
15 Hollywood Presbyterian Medical Center in California in February and MediStar health network in Maryland in March 2016.
16 Data regulators reject Privacy Shield https://www.theguardian.com/technology/2016/apr/14/data-regulators-reject-eu-us-privacyshield-safe-harbour-deal
17 EU Data Protection Directive http://www.nytimes.com/2015/12/16/technology/eu-data-privacy.html
18 Pew Research Center – Americans’ Attitudes About Privacy, Security & Surveillance http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/
19 2015 Ponemon Institute Global Cost of Breach Report – sponsored by IBM http://www-03.ibm.com/security/data-breach/. Note data for U.S. only breaches (62 incidents) was $217 per record and an average cost of $6.5 million. http://www01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03055USEN&attachment=SEW03055USEN.PDF
21 Developing Secure Software http://www.cnet.com/news/gary-mcgraw-on-developing-secure-software-q-a/#!