Breaches and data loss incidents have become a fact of life for organizations of every size and throughout the public and private sectors. There is no perfect defense from a determined cybercriminal, but the best practices advocated by OTA and outlined in this paper, can reduce a company’s attack surface and vulnerabilities.
Since OTA’s first report in 2009, we have learned that no organization is immune from the loss of confidential and sensitive data. As larger quantities of diversified data are amassed on a range of devices and third party service providers are increasingly relied upon, every business must be prepared for the inevitable loss. 2013 culminated with Target’s breach, which is estimated to impact upwards of 110 million credit and debit card accounts. This incident was a “perfect storm”, highlighting how breaches can occur at the worst time, catching a business off guard, paralyzing management and creating consumer remorse.1 Victims include not only the consumer, but also the business breached and the banks whose credit and debit cards have been compromised.
It is yet to be determined if Target adequately protected their systems. The long-term impact to their profitability and customer loyalty will not be known for some time while Target faces a range of lawsuits from banks, consumers and shareholders.2
Whether the result of an online attack, in-store breach, internal theft, malware, or accidental loss of data incident, such incidents can have significant financial impact and can have devastating consequences on the value of a company’s brand.
While businesses may be aware of this threat, they are not necessarily equipped to respond effectively. Businesses must acknowledge the company-wide panic and disruption that can occur. Viewing breaches as a “technical issue” is a recipe for failure. Instead, they need to recognize that every department within an organization needs to play a part in readiness planning. Those that prepare in advance will not only be postured to survive the data breach, but also retain their reputation with their customers.
Companies need to not only be prepared for a breach, but equally as important have a plan to appropriately respond to third party notification of a potential vulnerability. As observed with Snapchat in early 2014, the lack of a process appropriately respond has damaged their reputation and opened them up for potential lawsuits and regulatory scrutiny.
The alarming growth in data incidents highlights the challenges business leaders are facing. Based on analysis of data provided by the Open Security Foundation and RiskBased Security, it is estimated over 823 million records were exposed in 2013, including credit card numbers, email addresses, log in credentials, social security numbers and other related personal information.3 Year-end data for 2013 identified 2,164 incidents. OTA’s analysis of these breaches revealed 31% were due to lack of internal controls resulting in employees accidental or malicious events and 37% the result of actual hacks. The balance of incidents were primarily attributed to lost or stolen devices (12%) and fraud (11%). Lost, stolen, or misplaced documents accounted for 9% of all incidents.4
Based on the 2013 Verizon Data Breach Investigations Report, 76% of network intrusions were due to exploited weak or stolen credentials and 29% used social engineering, increasing 4-fold in one year. These incidents are often a crime of opportunity, which cannot be prevented by technology alone. Inappropriate actions, such as bringing work materials home via personal e-mail accounts or on USB drives, and “low tech-events,” such as sending sensitive documents to the wrong recipients, can have the same effect as breach incidents caused by outside parties.5
These trends suggest a need for increased commitment and adoption of voluntary best practices. These include broader transparency and more detailed reporting requirements. As the result of the increased sophistication and tenacity of international crime syndicates, combined with the proliferation of data stored on mobile devices, OTA expects the number and severity of breaches and resulting identity thefts will continue to grow.
OTA advocates that every organization handling customer data, ranging from email addresses to personally identifiable information (PII), create a data management strategy and incident response plan that evaluates data from acquisition through use, storage and destruction. A key to successful data lifecycle management is balancing regulatory requirements with business needs and consumer expectations. Success is moving from a perspective of compliance, the minimum of requirements, to one of stewardship where companies meet the expectations of consumers.
1 http://www.chicagotribune.com/news/sns-rt-us-target-breach-20131218,0,3434295.story
2 http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=d88fff5b-210d-4ade-aa0f-6b5233578102
3 https://www.privacyrights.org/data-breach and http://datalossdb.org/statistics
4 http://datalossdb.org/statistics
5 2013 Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2013/