Tag: data breach prevention

Insights from the Cyber Risk Summit Beverly Hills – October 2023 Authored by Ryan Coyne I recently participated in a panel with industry experts, delving into third-party cyber risks. The panel shed light on best practices, challenges, and strategies to mitigate the impact of third-party incidents. Panel Participants: Stu Panensky (Moderator) – FisherBroyles, LLP Ryan Coyne – Experian Tom Egglestone – Resilience Mark Grazman – Fenix24  Matthew Saidel – FTI Consulting Agenda: Incident Best Practices: Collaboration & Coordination on IR Action Items Upstream Risk of Third Parties: Vendors, Suppliers & Business Partners Downstream Risk in the Policyholder Supply Chain The Cyber Risk Summit held in Beverly Hills provided valuable insights into the risks of engaging unsecured third parties. Key Takeaways Understanding the Significance Tom emphasized the longstanding nature of cyber risk exposure tied to third-party relationships. The increasing reliance on external vendors in a tech-enabled world has heightened this risk, especially with the surge in outsourcing and software adoption. Tom highlighted that, even in 2019, Gartner research indicated that 60% of surveyed companies worked with over 1000 third parties in their supply chain, setting the stage for the escalated risk environment post-pandemic. Crisis Communications in Third-Party Incidents Matt shared insights into the challenges faced when third-party incidents unfold. The necessity of involving crisis communications consultants early in the process, especially for upstream and downstream, was stressed. Preserving the right to operate and maintaining client trust amid incidents were key points Matt made.Hands-On Restoration PerspectiveMark, providing a hands-on restoration perspective, discussed the rarity of involvement at the inception of an event. His emphasis on locking down infrastructure, understanding the threat actor’s persistency, and encouraging robust backup strategies showcased the intricacies involved in restoration efforts.“Restoration efforts often kick in when patient zero is unidentified. Locking down the infrastructure and focusing on repairing affected elements are essential” – Mark Grazman, Fenix24 Notification Strategies and Legal Implications Representing Experian, I shared my perspective on notification complexities that the average consumer may not be aware of, such as notifying everyone upfront versus opt-in processes. The legal implications of notifying on behalf of others and coordinating with multiple parties. The nuanced approach to call center communication and the crucial factor of making details clear in notification letters in minimizing confusion for recipients.I want to emphasize a point I made earlier in the panel on the downstream impact of notification strategies and the need to customize communication for recipients.“For these incidents, it’s most important to minimize complexity on the notification side and minimize confusion for the recipient of your notification letter.” – Ryan Coyne, Experian Insights from an Insurance Claims Handler Tom, as an insurance claims handler, underscored the importance of understanding vendor contracts, particularly clauses related to defense and indemnity. He highlighted the need for transparency in the vendor’s incident response process, especially when the insured isn’t in control, adding a layer of complexity to communication and expectation setting. Crafting a Seamless Notification Process: Public-Private Partnerships Stu Panensky, Moderator: Public-private partnerships emerged as a recurring theme during the panel discussions. The need for collaboration between law enforcement, insurance companies, and businesses became evident. Stu emphasized the role of public-private partnerships in influencing better outcomes and impacting data protection, regulation, and litigation. The insights from the 2023 Beverly Hills Cyber Risk Summit underline the interconnected nature of cyber risks and the critical importance of proactive measures. Stakeholders are urged to adopt a collaborative approach, navigate legal complexities, and stay vigilant in the face of evolving challenges. I welcome you to watch the full discussion on-demand. Watch the panel session on-demand now

The threat of data breach is constant in our modern, digital world. And as technology advances, so do the strategies and tactics of malicious actors seeking ways to monetize the vulnerabilities of organizations. It’s not a matter of if, but when, a data breach could impact your organization, and it is important for businesses to understand how to operate in it. What is a Data Breach? For many organizations, a data breach is arguably one of the greatest threats to prevent. What is a data breach? Imagine your organization as a fortress, safeguarding a treasure trove of sensitive information—customer data, financial records, proprietary algorithms. A data breach is the unwelcome intrusion into this fortress, where unauthorized individuals gain access to confidential information, often with malicious intent. This can encompass many types of data, including personal identification information (PII), financial data, and intellectual property. Classifications of breaches can vary from intentional cyberattacks to inadvertent exposure due to system vulnerabilities or human error. To grasp the gravity of data breaches, Businesses face tangible consequences when their defenses are breached, and there are no signs of it slowing down. The frequency and severity of data breaches are alarming. According to recent studies¹, the healthcare sector experienced a 55% increase in data breaches in 2022. No business is immune to the evolving threat landscape especially companies that capture customer data and are also inherently the stewards of this data. Understanding the landscape of data breaches will help you better fortify your business against a breach. In the next sections, we’ll explore the causes, impacts, post-breach response strategies, and preventative tactics businesses can employ to safeguard their data. Causes of Data Breaches Human error Even the most well-intentioned employees can become the weak link in an organization’s security chain. According to the “2023 Verizon Data Breach Investigations Report,” 74% of data breaches involve a human element². Investing in comprehensive training programs is essential to foster a culture of cybersecurity awareness and mitigate the risk of employee-related mistakes. Cybersecurity vulnerabilities The digital landscape is rife with potential vulnerabilities, and cybercriminals are adept at exploiting them. Regular cybersecurity assessments, prompt system updates, and the implementation of robust security protocols are recommended proactive measures to fortify against breaches that capitalize on system vulnerabilities. Insider threats Data breaches can originate from within, whether through disgruntled employees with malicious intent or well-meaning staff who inadvertently compromise security. Gurucul’s “2023 Insider Threat Report” highlights that 60% of organizations experienced insider-related incidents in the past year³. Establishing stringent access controls, closely monitoring user activities, and implementing employee education programs are vital steps to mitigate the risks associated with insider threats. Weak and Stolen Passwords Weak and stolen passwords stand as one of the most common gateways for data breaches. Cybercriminals exploit individuals who use easily guessable passwords or recycle them across multiple platforms. This creates a vulnerability that can be easily exploited through automated attacks. Ensuring robust password policies, employing multi-factor authentication, and regularly updating credentials are necessary measures to thwart these breaches and safeguard sensitive information. Malware The insidious world of malware is a persistent threat to data security. Malicious software, often disguised as innocuous files or links, infiltrates systems, and wreak havoc by compromising data integrity and confidentiality. Malware can then swiftly spread, leading to unauthorized access and data exfiltration. Regularly updating antivirus software, conducting thorough system scans, and educating employees about the dangers of clicking on suspicious links are pivotal defenses against malware-driven breaches. Social Engineering Social engineering has emerged as a cunning and effective tactic in data breaches, such as manipulating individuals to divulge confidential information willingly. Whether through phishing emails, deceptive phone calls, or impersonation, cybercriminals exploit human trust to gain unauthorized access. Raising awareness among employees about the dangers of social engineering, implementing rigorous verification processes, and fostering a culture of skepticism can fortify an organization’s defenses against these subtle yet potent attacks. Physical Attacks While the digital realm often takes center stage, physical attacks on data infrastructure remain a tangible and underestimated risk. Breaches can occur through unauthorized access to servers, theft of physical storage devices, or tampering with network equipment. Implementing stringent access controls, employing surveillance systems, and securing physical infrastructure are crucial steps to mitigate the threat of data breaches stemming from physical incursions. Building digital and physical protective measures can help with your defense against the multifaceted landscape of data breaches. Impacts on Businesses Financial repercussions Data breaches are costly to businesses with immediate and enduring consequences. The “Cost of a Data Breach Report 2023” by IBM reported that the average cost of a data breach was $4.45 million per organization⁴. Long-term financial implications include loss of customers, diminished revenue streams, and increased cybersecurity investments to rebuild trust and fortify defenses against future breaches. Reputational damage The fallout from a data breach extends beyond the balance sheet, leaving an indelible mark on a business’s reputation. According to a 2023 survey by Vercara, 66% of U.S. consumers would not trust a company that falls victim to a data breach with their data. Rebuilding trust with transparent communication, swift remediation, and proactive measures to prevent future breaches is essential, demonstrating a commitment to safeguarding sensitive information. Operational disruptions Data breaches causes disruptions in the operations of daily business activities. It takes an average of 73 days to contain a cyber-attack according to the Cost of a Data Breach Report 2023 from IBM⁴. Swift recovery requires a meticulous balance between addressing the breach’s immediate impact and resuming normal operations to minimize further operational strain. Legal and regulatory implications The legal aftermath of a data breach involves navigating a complex landscape of regulations and compliance standards. In the United States, data breaches may trigger legal consequences under various state laws. For instance, the California Consumer Privacy Act (CCPA) allows for fines ranging from $100 to $750 per consumer per incident⁵. Ensuring adherence to data protection laws, promptly reporting breaches to regulatory authorities, and implementing robust security measures become top priorities in avoiding the legal quagmire that often follows a data breach. Notable data breaches Yahoo! (2014): The personal information of 3 billion people was exposed, including names, birth dates, passwords, and phone numbers. Cause: It is believed that the hack originated through a phishing email sent to a Yahoo! employee. Through this phishing email, it’s believed the hackers were able to access user databases and tools.⁶ Cost: $117.5 million in settlements and $350 million off its sale price to Verizon⁷ Marriott International (2018): Information of approximately 500 million guests was compromised, including names, contact details, passport numbers, and travel details. Cause: A cyber-espionage campaign linked to a state-sponsored actor. Attackers gained access to Marriott’s Starwood guest reservation database due to vulnerabilities in the system.⁸ Cost: Over $100 million for remediation efforts and regulatory fines.⁹ Capital One (2019): 106 million customers’ personal information, including credit card applications and Social Security numbers, was exposed. Cause: A misconfigured web application firewall that allowed a hacker to exploit a server-side request forgery vulnerability, leading to unauthorized access and the theft of sensitive customer data.¹⁰ Cost: Estimated between $100 million and $150 million in 2019 alone.¹¹ SolarWinds (2020): Hackers compromised the software supply chain, affecting numerous government agencies and major corporations globally. Cause: The SolarWinds breach was a sophisticated supply chain attack where malicious actors compromised the software update process, injecting malware into software updates distributed by SolarWinds, allowing them access to numerous government and corporate networks.¹² Cost: At least $18 million¹³ JBS USA (2021): The ransomware attack on the world’s largest meat processor disrupted operations and impacted the company’s IT systems. Cause: A ransomware attack, where cybercriminals exploited vulnerabilities in the company’s IT systems to encrypt data and demand a ransom for its release, causing significant disruptions to operations.¹⁴ Cost: $11 million ransom paid to hackers from JBS to restore their IT systems. Post-breach response Assessment and Damage Control Immediate Action Steps In the event of a data breach, the immediacy of response becomes one factor in determining the outcome. Swift and decisive actions during the initial moments can be instrumental in preventing the situation from escalating. The primary focus at this stage is isolating the affected systems, swiftly disconnecting compromised servers and devices from the network. This can help stop unauthorized access and establishes the foundation for a more concentrated and effective response. Alerting the incident response team, IT personnel, and relevant stakeholders promptly is also worth considering to help gain control over the situation. Forensic Analysis Understanding the who, what, and how of an incident is also an important step following a breach. In this context, involving forensic experts in a meticulous analysis is prudent. These professionals specialize in unraveling the intricacies of the breach, identifying entry points, and tracing the movements of attackers within your systems. The significance of forensic analysis extends beyond mere identification; it serves as the groundwork for prevention. Through a comprehensive study of the employed attack vectors and techniques, organizations can enhance their cybersecurity infrastructure. This process of gathering critical information about the breach contributes to the ability to preempt similar incidents, fostering a more resilient stance against evolving cyber threats. Communication Strategy Internal Communication Effective internal communication plays a pivotal role in building a resilient response framework. In the early stages of a crisis, employees emerge as the initial line of defense. Clearly conveying the severity of the situation provides them with a comprehensive understanding of the impact and the organization’s devised response plan. This also empowers the workforce, fostering a sense of unity within the organization and help the organization navigate challenges ahead cohesively, reinforcing its resilience in the face of adversity. External Communication External communication holds equal importance, reaching beyond the organization to customers, partners, and stakeholders. It’s essential to recognize the significance of constructing messages with transparency, honesty, and a proactive stance. Silence or ambiguity can intensify the repercussions, so prioritizing openness becomes foundational for rebuilding trust. Being timely and forthright in sharing information about the breach and the steps taken to rectify the situation is generally a good strategy when engaging with partners and stakeholders. This approach not only informs but can also mold the perception of the organization’s dedication to security and integrity following the aftermath of a breach with a strategic and forward-thinking mindset. Legal and Regulatory Compliance Notification Requirements Within the regulatory framework, a prompt response is an important post-breach step for organizations. It may first involve comprehensively detailing the legal obligations surrounding breach notifications to both regulatory authorities and affected individuals. It’s essential to recognize the variability in requirements across different regions and industries, underscoring the importance of remaining well-informed about these specific nuances. Timeliness of notifications is also factor for organizations to consider. Numerous jurisdictions impose substantial fines for delays in reporting, making it essential for organizations to adhere to strict timelines. Transparency holds equal weight, necessitating clear communication about the extent of the breach, the nature of compromised information, and the specific measures being implemented to address the situation. This approach can help in being compliant with legal standards and plays a vital role in fostering trust among those directly impacted by the breach. Legal Counsel Engagement Organizations generally seek the support of legal counsel to help navigate the intricate legal aftermath of a data breach. Legal experts can help an organization through potential lawsuits and regulatory fines. Engaging legal experts early allows their insights to guide the overall strategy, shaping everything from the communication plan to the recovery efforts. With early legal counsel support, the organization can be proactive in addressing legal challenges, potentially mitigating the severity of consequences that may arise. Recovery and Remediation IT System Restoration The intricacies of IT system restoration mirror the reconstruction of a fortress following an intrusion. Restoring affected IT systems to normal functionality involves comprehensive measures such as thorough system checks, vulnerability assessments, and the eradication of any residual traces left by a breach. Additionally, organizations generally look to enhance security measures during the recovery phase. Simply reverting to the pre-breach state is not enough; instead, the recovery process serves as an opportunity to accept vulnerabilities in old systems and bolster defenses. This entails updating and patching systems, reassessing access controls, and contemplating the incorporation of advanced threat detection tools. Such measures collectively work to minimize the risk of a recurrence and contribute to an overall fortified cybersecurity posture. Prevention Strategies Best practices for securing sensitive data Securing sensitive data is important in the age of relentless cyber threats. Employing encryption protocols, conducting regular security audits, and limiting access privileges are foundational best practices. These proactive measures help create a robust defense, forming an intricate web that shields critical information from potential breaches. Employee training programs to mitigate human error Human error remains a significant contributor to data breaches. Implementing comprehensive employee training programs can be helpful in cultivating a security-conscious workforce and mitigating human error-caused vulnerabilities. From recognizing phishing attempts to practicing proper password hygiene, a well-informed staff acts as the first line of defense and can significantly reduce the likelihood of unintentional security lapses. Implementing robust cybersecurity measures The cornerstone of any data breach prevention strategy is the implementation of robust cybersecurity measures. This includes advanced intrusion detection systems, firewalls, and regular software updates. Proactively addressing vulnerabilities and staying abreast of the latest cybersecurity advancements help fortify an organization’s digital perimeter, creating an environment that is inherently resistant to malicious infiltrations. Staying abreast of emerging trends Staying ahead of data breach threats requires a keen awareness of emerging trends. From sophisticated phishing techniques to novel forms of malware, businesses should continuously adapt their cybersecurity strategies against evolving tactics employed by cybercriminals. The dynamic nature of the cybersecurity landscape demands constant innovation. Adopting cutting-edge technologies like artificial intelligence for threat detection and investing in predictive analytics allows businesses to stay one step ahead, proactively identifying and neutralizing potential threats before they escalate. Collaboration and information-sharing within industries In the face of evolving cyber threats, collaboration is a powerful defense. Establishing networks for information-sharing within industries enables businesses to benefit from collective intelligence. By sharing best practices and threat intelligence, organizations can collectively strengthen their defenses against the ever-changing data breach landscape. Takeaway Data breaches are a persistent threat for all businesses capturing and storing personal identifiable information. Such businesses are inherently the stewards of this data and must protect that data to avoid bad actors gaining access for malicious intent. Knowing what a data breach is just the first step of protecting that data, and it is key to take action. From securing sensitive data to fostering a cybersecurity-aware workforce, businesses must not merely react to the escalating threat of data breaches but proactively strive to create an impenetrable shield around their valuable information. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches. ¹Hippa Journal, 55% of Healthcare Organizations Suffered a Third-Party Data Breach in the Past Year [2022]²Verizon, 2023 Verizon Data Breach Investigations Report³Gurucul, 2023 Insider Threat Report⁴IBM, Cost of a Data Breach Report 2023⁵Office of the Attorney General, California Consumer Privacy Act (CCPA)⁶CSO, INside the Russian hack of Yahoo: How they did it⁷BPB Online, Yahoo Data Breach: What Actually Happened?⁸CSO, Marriott data breach FAQ: How did it happen and what was the impact?⁹Cybersecurity Dive, Marriott finds financial reprieve in reduced GDPR penalty¹⁰Investopedia, Capital One Data Breach Impacts 106 Million Customers¹¹CNET, Capital One $190 Million Data Breach Settlement: Today Is the Last Day to Claim Money¹²Tech Target, SolarWinds hack explained: Everything you need to know¹³Reuters, SolarWinds says dealing with hack fallout cost at least $18 million¹⁴BBC, Meat giant JBS pays $11m in ransom to resolve cyber-attack

Reflections, New Predictions, and What to Expect by 2033.  Where We’ve Been: A Cybersecurity Recap It’s been a decade since Experian released its first forecast. At the time, hacker activity was heating up, and breach "fatigue" was setting in. The report highlighted the budding threat of healthcare incidents, started a conversation about the connection between the cloud, big data, and big international breaches, and was one of the first—if not the first preparedness and response organization to sound the alarm on the cyber insurance surge. Fast forward to 2023: Clever cybercriminals have not slowed, and data breaches are busier and livelier than ever, with cyberattacks costing organizations $2.9 million every minute1, with major businesses suffering losses of $25 per minute.2 Hold on to your keyboard if you’re wondering where the cybercriminals could go next. The Tenth Annual Experian Data Breach Industry Forecast findings offer a road map into the future. findings offer a road map into the future. Literally. It outlines how modern technology, cyber resilience, and cyber recovery will play a role in the next generation of attacks. With six predictions instead of five, this year’s report also candidly reflects on what we got right and where we missed the mark over the last nine years while homing in on what 2023 and 2033 could bring. Nearly 70% of business leaders feel their cybersecurity risks are increasing, and only 5% of companies2 data is probably protected.3 Where We Are: Reality. It’s Not Quite What It Seems With more than 80% of U.S.4 adults expressing some concern about the metaverse and deepfake-enabled attacks up 53% from 2021,5 2023 could see cyberattacks move into unprecedented and unchartered territory. Will keyboards and screens become easy gateways to widespread attacks in seen and unsuspected ways for corporate entities and consumers alike? What about the continued rise of remote work? Will its staying power reveal vulnerabilities? As technology evolves, so too can scams and increased risk. Are you prepared? Globally, cybercrime is on track to cost $10.5 trillion annually by 2025.6 Where We’re Headed: Today and 10 Years From Now The Tenth Annual Data Breach Industry Forecast isn’t a crystal ball, but it’s close. With now ten reports issued and over 18 years of experience servicing, researching, and tracking data breaches, I’ve encountered almost everything in the what-if world of preparedness drills and real-world live incident responses. I’ll end with this fact. Only time will tell what happens next. Until then, if you’re a CISO, cyber risk insurer, CFO, General Counsel, or other professional responsible for or connected to cybersecurity preparedness and response, I recommend you review the Tenth Annual Experian Data Breach Industry Forecast. Your company’s future could depend on it. Read the 2023 Experian Data Breach Industry Forecast 1-2 https://businessinsights.bitdefender.com/what-are-the-biggest-cyber-threats-of-the-future 3 https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 4-5 https://www.varonis.com/ 6 Cybersecurity Ventures, Cybercrime Magazine

Experian’s 7th Annual Data Breach Preparedness Study is available now, and its findings show organizations struggling in a few areas that are sure to see data breach activity increase this year. New to report this year: we surveyed IT and IT security, compliance, and privacy professionals in both the U.S. and the EMEA to compare the regional differences amongst organizations and their outlook around data breach preparedness. A few themes that stuck out in the study this year were: Spear Phishing and Ransomware 69% of respondents had one or more spear phishing attacks in 2019 Since 2017, respondents who say their organizations are very confident or confident in their ability to deal with spear phishing attacks has declined from 31% to 23% 36% of respondents say their organizations had a ransomware attack last year with only 20% feeling confident in their ability to deal with it The average ransom was $6,128, and 68% of respondents say the ransom was paid Confidence in Data Breach Response Plans From a reputation standpoint, only 23% of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach Only 38% of respondents believe they are effective at doing what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence Global Data Breaches Only 34% of respondents say they are confident their organizations are able to respond to global breaches, as breaches increasingly become international in scope Read the full results of Experian's 7th Annual Data Breach Preparedness Study and see how you compare to other organizations when it comes to data breach preparedness. Download the full study

Any responsible business manager knows that protection business and client data is a vital part of running a success organization. Now a new report identifies key factors that can improve a company’s ability to avoid hacks and prevent data breaches. And here’s the good news: These tactics really work. During 2018, the number of personal records exposed in data breaches soared — a total of 446.5 million pieces of data – an increase that was more than double the number of records breached during 2017, according to the Identity Theft Resource Center. The business, healthcare and financial sectors were the top three sectors hit, with hacking being the most common form of attack. But among the companies surveyed in the latest annual study sponsored by Experian Data Breach Resolution, there are important signs of hope. Despite the startling increase in the number of records stolen by data thieves – a gain of 126 percent – the number of survey participants reporting a breach increased by just 5 percent. This trend demonstrates that while hackers might be grabbing more data when they do manage to crack a database, the smaller increase in total breaches reported in the survey indicate that a growing number of institutions are improving their abilities to fend off cybercriminals. What’s their secret?  To encourage more effective strategies to handle and prevent breaches, “Is Your Company Ready for a Big Data Breach?” uncovers several important lessons learned from companies that are successfully insulating themselves – and their customers – from data theft.  Prevention is the best response: The overarching lesson that researches found is that an effective data breach response plan starts with preventing breaches in the first place, rather than reacting after customer and business data has been stolen. Of the 643 U.S. business people surveyed who work on privacy, compliance and IT security, 29 percent reported that their organizations had prevented any breach involving more than 1,000 records for the past two years. Rate your plan: The Ponemon researchers found that the percentage of companies that find their data breach response plans to be very effective increased from 42 percent in 2016 to 52 percent in 2018. Not surprisingly, more people at organizations that didn’t report a breach rated their response plans as effective – 62 percent – while 45 percent of those at companies that suffered data theft nonetheless felt their plans were effective.  Money matters: Ponemon researchers found that more investment in cybersecurity technology seemed to pay off. One of the most common factors among companies that prevented breaches was increased spending on technology to detect and prevent attacks. Of companies that prevented breaches, 73 percent increased their tech spending, versus 61 percent of those companies that were breached.  No train, no gain: An even bigger improvement came from training employees and making them aware of privacy and data protection issues and practices. The likelihood of a data breach was significantly reduced when awareness training specifically targeted employees and other stakeholders in business processes who work with or access sensitive or confidential personal data. At organizations that implemented training, 79 percent avoided a breach versus 69 percent of those that were hacked.  Cybersafety starts at the top: Executive engagement also matters. Making data security a priority among C-suite executives and corporate board members translates into keeping records safer. The study found that 54 percent of executives and 39 percent of directors were knowledgeable and engaged in planning data breach responses. At companies that were breached, 49 percent of executives and 32 percent of board members were involved with cybersecurity response.  Sharing is caring: Another key finding in preventing breaches is that organizations that sharing their insights and experiences in handling and preventing breaches improved their cybersafety. Operations that participated in learning about data protection and hacks from industry peers and government agencies were more likely to avoid a breach – 59 percent of those who joined sharing programs didn’t suffer an attack, while 46 percent of those participating experienced a breach.  Cybersafety is a process: Finally, organizations that want to stay cyber-safe might want to adopt the Boy Scout motto, “Be Prepared.” Companies that successfully prevented a data breach took several preventive measures to guard against attacks. That includes conducting regular reviews of physical security and access to confidential information, instituting third-party cybersecurity assessments, making data breach response part of their business continuity plans and creating backup websites that can be activated to provide content and information should a breach occur. For the study, Ponemon researchers surveyed 643 professionals working in information technology and security, compliance and privacy who deal with data breach response plans in their organizations. The entire comprehensive survey of cybersecurity practices – “Sixth Annual Study: Is Your Company Ready for a Big Data Breach?” – is available to download now. The Ponemon Institute, headquartered in Traverse City, Michigan, conducts independent research on data protection and emerging information technologies. Experian Data Breach Resolution helps businesses of all sizes manage the risk of fines, customer loss, negative press and litigation due to a breach of data, and is a subsidiary of Experian, the global leader in consumer and business credit reporting and marketing service operating in 80 countries. Download the Ponemon study Learn more about our Data Breach solutions

From malware and phishing to expansive distributed denial-of-service attacks, the sophistication, scale, and impact of cyberattacks have evolved significantly in recent years. With data breach as the new normal, organizations must adopt stronger, more advanced technical solutions to protect sensitive data. While enhanced technology is necessary for defending against data breaches, it cannot work independently of precautionary, often-overlooked measures like risk assessment, threat information sharing, or employee awareness and education. Even with the most cutting-edge defense systems in place, companies can’t underestimate the importance of employing fundamental security practices to mitigate cyber threats. In a climate where the risk of a data breach continues to grow, preparation is critical. “The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?,” sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute, examines how organizations stack up in data breach preparedness. Organizations can help mitigate risk by employing the below best practices: Manage third-party risks: A cyberattack on partners or vendors can have dire consequences for an organization, regardless of how exhaustive its own security measures may be. The risk resulting from a third-party’s lax security measures is too great to ignore. However, only 48 percent of organizations conduct assessments on third-party cybersecurity tactics. Regularly review response plans: The threat and severity of data breaches are continually changing. Keeping a pulse on vulnerabilities is vital for any company. However, 40 percent of respondents say they don’t have scheduled times to review and update their data breach response plan. A staggering 26 percent report not reviewing or updating their organization’s plan after implementation. Opt-in to software updates: Outdated software exposes areas susceptible to infiltration, increasing a company’s risk of attack. Despite such risk, only 26 percent of respondents say employees are required to update software systems regularly. Organizations should require that all employees have the most up-to-date software available. Educate, educate, educate: Data breaches caused by employee negligence are a concern of 80 percent of respondents. Because of their access to a company’s computers, systems, and networks, employees must be actively involved in an organization’s data breach defense. Organizations should conduct regular training and awareness programs on the consequences of mishandling sensitive confidential information. Data breach preparedness is a multifaceted effort that requires cross-company support and involvement. Organizations can’t rely solely on technological solutions to thwart cyber threats. Having a solid response team in place and a well-defined process are fundamental elements of a data breach response plan that, though seemingly basic, should never be overlooked. Download our Fifth Annual Data Breach Preparedness Study

Data breach industry predictions High-profile data breaches dominated the headlines in 2017, and unfortunately, these attacks are anticipated to only increase in frequency and magnitude in 2018. Breaches like those that affected LinkedIn, Dropbox and Yahoo, serve as a wake-up call for organizations to implement processes for safeguarding sensitive data and defending against attacks. However, for every advancement in cybersecurity, cybercriminals become more sophisticated in their techniques. Just when it seems like we have learned our lesson from one breach, another, more significant one occurs. As cybercriminals continue changing the rules mid-game, it has become clear that while they’re playing chess, we’re still playing checkers. To help better prepare you and your organization for potential cyber threats, our team has put together its yearly data breach industry predictions on the issues and trends surrounding data security in 2018. Here are our five predictions for 2018: The U.S. may experience its first large-scale attack on critical infrastructure, disrupting governments, companies and private citizens. Failure to comply with new EU regulations will result in large penalties for U.S. companies. Perpetrators of cyber-attacks will continue to zero in on governments – this could lead to a shift in world power. Attackers will use artificial intelligence (AI) to render traditional multifactor authentication methods useless. Vulnerabilities in Internet of Things (IoT) devices will create mass confusion, leading to new security regulations. Download our complimentary report to learn more about how these trends will shape the coming year, see how we scored against our 2017 predictions, and check out our new section revisiting predictions dating back to our inaugural 2014 report.

Most companies aren’t prepared to respond to a global data breach, and aren’t yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), even though it takes effect in less than a year, according to the latest Ponemon Institute report sponsored by Experian® Data Breach Resolution. Nearly a third of the 588 information security and compliance professionals interviewed for the survey said their organizations had no global incident response plan in place, and 38 percent have a single plan that’s applied around the world. Just 27 percent reported having separate plans at the country or regional level, but even those who had a plan weren’t confident about its efficacy. The global scope of data breaches The number of data breaches reached a record high in 2016 — 4,149 incidents in 102 countries around the world exposed more than 4.2 billion records, according to cybersecurity company Risk Based Security. Ponemon’s survey underscores the scope of global data breaches; 51 percent of respondents reported their companies experienced a global data breach in the past five years, and 56 percent of breached companies had more than one incident. When the GDPR goes into effect in May 2018, any company that processes and/or holds the personal data of European Union consumers will be required to comply with the regulation, regardless of where the company is located. Failure to comply can lead to fines ranging from 2 percent to 4 percent of a company’s annual global turnover. Despite the escalating risks of falling victim to a global data breach and the possible repercussions of not complying with the GDPR, Ponemon’s survey shows a widespread lack of preparedness among companies. Levels of unpreparedness When it comes to preventing and responding to a global data breach, and ensuring they comply with the GDPR’s strict notification rules, many survey respondents expressed significant shortfalls in preparedness: Outdated and inadequate security solutions would hinder the ability of 49 percent to cope with a global data breach. Just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas, and only 39 percent said they had the right policies and procedures to do so. Slightly more than a third thought their companies could successfully manage cultural differences and privacy and data security expectations in different areas of the world. A majority of respondents (89 percent) predicted the GDPR will significantly affect their data protection practices, and 69 percent felt non-compliance would hinder their companies’ ability to do business globally. Yet only a quarter said their companies were ready to comply with the new regulation. While most understand GDPR is something they need to worry about, many aren’t sure what to do. The survey reveals some companies may be feeling desperate enough about the looming regulation to take drastic measures; 34 percent said their preparations include closing operations in countries with high non-compliance rates. Timely notification of regulators and EU citizens affected by a data breach is a key component of the GDPR, yet the majority of our survey respondents (69 percent) said they would have trouble meeting the time limitations. The GDPR requires breached companies to notify regulators within 72 hours of discovering a breach, and affected consumers “without undue delay.” Half of our survey respondents said they experienced a global breach that required notification of victims. Only 10 percent were able to do so within the GDPR’s 72-hour window; 38 percent reported notification took two to five months to complete. Obstacles to preparedness The years-long evolution of the GDPR, which will replace older regulations, is evidence that world governments are taking data breach risks seriously. Unfortunately, our study indicates not all C-suite decision-makers are as concerned about global data breach risks as they should be and their antipathy is impairing their organizations’ ability to prepare for a global data breach. While the security professionals surveyed cited high-volume breaches (65 percent) and breaches involving high-value information (50 percent) as the data risks that concern them the most, only 30 percent said their organization’s C-suite was fully aware of the company’s compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority. Technology limitations and lack of executive support are significant obstacles to preparedness and compliance, but they’re not the only ones. Additionally, survey respondents cited: Reluctance to make needed comprehensive changes in business practices (60 percent) Not enough budget to hire staff (37 percent) Unrealistic demands from regulators/regulations (35 percent) Not enough money for appropriate security technology (34 percent) Lack of knowledge about global data breach response (29 percent) What companies must do Some survey respondents indicated their organizations are taking the right steps toward preparedness and compliance. They are putting in place security technologies to quickly detect a data breach (48 percent), have tested and proven response plans (44 percent), can quickly identify whether a breach will require notification (15 percent) and are prepared to notify regulators within 72 hours of breach discovery (13 percent). However, many organizations could be doing more to prepare for a global data breach and to comply with the GDPR. Global data breach risks continue to increase in number, scope and impact, and the potential loss of business and financial impact of a breach could prove catastrophic for affected companies. With less than a year to go until the GDPR takes effect, any company that conducts business internationally needs to act now to ensure it will be ready to deal with a global data breach when it occurs. Learn more about our Data Breach solutions

Like an unimmunized person in a roomful of flu patients, the healthcare sector continues to be at high risk of catching something unpleasant. Cyberattacks and data breaches jeopardize the well-being of healthcare organizations of every size, and too often their exposure is a result of not doing everything they can to immunize themselves against attack. In our 2017 Data Breach Industry Forecast, we predicted the profitability and uneven defenses of the healthcare sector would cause cybercriminals to continue to focus attacks on healthcare organizations. Numbers from the Identity Theft Resource Center indicate our prediction was right; by mid-year, 151 healthcare breaches have compromised more than 1.9 million records, accounting for nearly 22 percent of all 2017 breaches thus far. We also predicted: Ransomware would emerge as a top threat for healthcare organizations. Cybercriminals would expand their range of targets within the sector, causing mega breaches to broaden their focus from insurers to other organizations, including hospital networks. Electronic health records and mobile applications would increasingly be targeted. The year so far In mid-May the WannaCry ransomware cyberattack became the largest ever, affecting computer systems in more than 150 countries. Ransomware uses malicious code to infect systems, seize control and shut down user access until the affected organization or individual pays a ransom to unlock their systems. Britain’s National Health Service (NHS) was one of the largest victims of WannaCry, which infected medical devices as well as administrative PCs. The impact was widespread, affecting critical operations and causing hospitals to reject patients, doctor’s offices to shut down and emergency rooms to divert patients. Like a patient with a compromised immune system who ignores his doctor’s advice to get an annual flu shot, the NHS allegedly disregarded multiple security warnings to update and protect its systems. Cybercriminals have also expanded their targets for mega breaches beyond insurers. So far in 2017, the largest known healthcare breach in terms of number of compromised records occurred at a urology practice in Austin, Texas. ITRC statistics show nearly 280,000 records were compromised through the breach of the practice, which has eight locations in the greater Austin area. According to the practice’s official data breach notice, a ransomware attack encrypted data stored on the organization’s servers. Electronic health records were the target of cyberattacks at numerous healthcare organizations, including a fertility and menopause clinic in New Jersey, where more than 17,000 records were compromised, ITRC reports. The number, scope and impact of healthcare cyberattacks will only grow. The industry that focuses on taking care of Americans’ physical and mental health should proactively take steps to safeguard its own health by updating security measures and data breach response plans. Learn more about our Data Breach solutions

Risk managers, legal experts and brokers say phishing and social engineering are, by far, the biggest security threats facing their companies and clients. In fact, 80 percent of legal experts polled by Advisen for Experian Data Breach Resolution’s 2017 Cyber Risk Preparedness and Response Survey, 68 percent of brokers and 61 percent of risk managers cited phishing/social engineering as their top concern. Why do they feel that way? A look at the numbers and some insight into human nature can explain their fears — and help you understand why your organization should be just as concerned about phishing risks. By the numbers Phishing and social engineering are particularly effective forms of cyberattack because they use technology and knowledge of human nature to manipulate employees into actions that serve the attacker’s purpose. How effective are they? Employees succumbing to a targeted phishing attack was one of the top two insider risks cited by executives who responded to the Ponemon report Managing Insider Risk through Training and Culture. Sixty-one percent of information security professionals polled by Wombat Security for its 2017 State of the Phish report said their organization had been the victim of a phishing attack. According to the Ponemon Fourth Annual Preparedness Study, 38 percent of respondents are not confident they can deal with a spear phishing incident The human risk factor Phishing in general and spear phishing in particular are successful because human beings are often the chink in an organization’s cybersecurity armor. All it takes is one overly curious and under-cautious employee clicking on a suspicious email, or a well-meaning worker who responds to a seemingly authentic request for proprietary information. Those scenarios are the stuff of nightmares for information security professionals, and unfortunately they happen all too frequently. Multiple studies show that negligent employees cause more data breaches than other sources, whether they succumb to a phishing attack or lose a company laptop at the airport. However, studies also show that cybersecurity training, including a component on phishing, can help reduce employee-related risks. Training is critical Among organizations that train employees on how to spot and avoid phishing attacks, 52 percent reported they were able to see quantifiable results — fewer successful attacks — based on their training, Wombat said. Respondents to the Advisen survey stressed the importance of creating a company culture in which cybersecurity is everyone’s job and knowledge of phishing and how to thwart attacks is the norm. Employee training in cybersecurity should begin as part of the onboarding process when the worker joins your organization, and everyone should get a refresher at least annually. While 67 percent of those surveyed by Ponemon said their organizations didn’t incentivize employees to proactively protect sensitive information or report potential issues, any successful culture of security should reward those who are embracing their roles as protectors — and not just punish those who fall short. Learn more about our Data Breach solutions

Late last year, our Third Annual Data Breach Industry Forecast predicted cybercriminals would continue to focus their attacks on healthcare institutions, inspired by the knowledge that the black market value of medical records continues to surpass the value of credit card numbers. Industry experts we interviewed also predicted employee missteps would be a source of healthcare breaches. Entering the final quarter of 2016, our prediction is playing out in the numbers; nearly half of all consumers affected by a data breach so far this year had their personal information exposed through a healthcare-related incident, according to information compiled by the Identity Theft Resource Center. In the first three quarters of the year, 256 medical and healthcare data breaches exposed more than 13.5 million records, the highest number of any sector the ITRC tracks. Records compromised in a healthcare breach accounted for 47.2 percent of all affected records in 2016. The healthcare sector has been a hotbed of attacks throughout the year, largely due to the continued value of medical records sold on the dark web. These records can be used for far more than just filing fraudulent medical claims. One lucrative use is filing fraudulent tax returns. CNBC reported the IRS expects, and has been bracing for, an increase in tax fraud linked to the high number of medical breaches this year. It’s easy to understand why medical records can be so profitable for hackers. While financial accounts such as credit cards may contain a limited amount of personal information, medical records are much more comprehensive. Typically, they contain a wealth of information far beyond mere account numbers. In addition to names, addresses and birth dates, medical records often contain Social Security numbers, which healthcare providers may use as patient identifiers. The employee factor Many of the mega-breaches of 2015 occurred through digital routes that the average consumer would find downright arcane. In 2016, we’ve seen an increase in smaller attacks with mundane origins such as stolen hardware, poorly secured employee email accounts or phishing attacks. Consider these examples reported in the HIPAA Journal: Four staff email accounts were compromised in a phishing attack on employees at City of Hope Hospital in California. To put it more bluntly, four hospital employees fell for scam emails and the result was, as ITRC reports, the exposure of more than 1,000 patient records. More than 200,000 patients of Premier Healthcare in Bloomington, Indiana, received notification letters after a password-protected but unencrypted laptop was stolen from the hospital’s billing department. A St. Louis, Missouri, not-for-profit healthcare system, BJC Healthcare, had to notify more than 2,300 patients their information was exposed after an employee mistakenly sent an email containing protected information to another medical organization. For healthcare institutions, the takeaway from 2016 should be the need to remain vigilant and proactive regarding the many ways in which data breaches can occur. While 2015 was the year of healthcare mega-breaches, 2016 has seen the emergence of smaller breaches that still have the potential to cause significant harm to organizations and patients. Learn more about our Data Breach solutions

Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks. The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012. And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach. Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures. Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach: A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats. About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs. Only 29 percent of companies involve the CEO in dealing with security risks. Nearly three-quarters don’t have cyber insurance policies. Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident. Less than a third had SIEM systems to facilitate early detection of an incident. 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices. Those who have made provisions don’t necessarily feel more secure because of them: 62 percent don’t feel their organizations are prepared to respond to a data breach. 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators. Just a quarter were confident they could communicate about a breach and manage customer needs. 40 percent worry about the potential for a third party losing their data. Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns. As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach. Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis.  It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time.  When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response. Learn more about our Data Breach solutions

An employee who never uses a mobile device – personal or company-supplied – for business purposes is becoming a rare creature, indeed. Use of mobile devices is prevalent across virtually every industry, and the convenience and flexibility these devices offer professionals can be great for business. Provided, that is, those devices are secure. Mobile devices continue to be a significant source of data breaches, and a particular concern for anyone engaged in cyber security, according to eSecurity Planet’s Data Breach Roundup. Mobile-related data breaches stem from a range of circumstances, including loss or theft of devices, failure to use anti-malware, or failing to password-protect a device being used for business purposes. Devices can put your data at risk if an employee stores any proprietary information on a mobile device, or if workers use unsecured devices to access your network – even if you’ve taken steps to secure the network itself. Managing mobile devices can be one of the most challenging aspects of your overall cyber security program, but it’s imperative and – fortunately – not impossible. Minimizing mobile device risks CTIA, The Wireless Association, offers some guidelines for mobile device cyber security in its whitepaper “Today’s Mobile Cybersecurity: Blueprint for the Future.” The organization points to five cornerstones of mobile cyber security: Education about the importance of mobile security Devices with security features like anti-malware and anti-spam settings Strong, enforced network security policies Authentication for all network users Secure connections, from cloud to network Many tools exist to help your organization ensure secure footing on each of those cornerstones. CTIA cites options like risk management, security policies and monitoring. We would add to that list, and emphasize the importance of a data breach response plan that addresses the specific challenges and risks associated with a mobile-spurred data breach incident. While your organization can take strong, reasoned steps toward minimizing risks, it’s equally important to be ready to respond when a breach occurs. Mobile device security is sure to be a growing issue throughout 2014, as more people than ever use smartphones, tablets and other mobile devices to work more efficiently. With the right precautions, you can help ensure your employees work safely, as well. Learn more about our Data Breach solutions

The purpose of any type of insurance is to protect your most valuable assets. To combat the prevalence of cyber attacks and data breaches, an increasing number of businesses in the health-care, financial services and technology industries have purchased cyber insurance policies to protect themselves from the crippling cost of a data breach.  This is especially popular among start-up tech companies in Silicon Valley in order to safeguard their intellectual property (IP) since their IP is the backbone of their livelihood1.  Since small businesses generally don’t have a risk manager and IT department dedicated to data security, a good cyber insurance policy can help mitigate cyber security risks. Although accepted in some sectors, cyber insurance is still not an established part of many companies’ IT data security strategies.  This is commonly due to a lack of agreed risk management standards and the challenge of substantiating and quantifying losses, in addition to finding objective data to back up cyber insurance claims.  Some security experts feel that the federal government needs to kick start growth in this market by requiring government contractors to purchase cyber insurance to set a standard for other businesses, sending a message that any company who has cyber security insurance is a signal that the company is competently managing its data security. As the cyber insurance industry evolves, here is a list of what the policies generally cover and what to look for: First-party claims – Costs incurred by the loss of trade secrets and intellectual property. Third-party claims – Damages a business must pay to customers who sue them for lost or compromised personal information. Business interruption coverage – In the event a data breach incident prevents the company from operating or functioning, the company would receive payment reimbursement for expenses incurred due to loss of business. A forensic IT investigation – Policies can cover the cost of an examination into how the data breach occurred and some may even cover the costs of regulatory fines and penalties in addition to the crisis management control which includes data breach notification letters. Security professionals stress that cyber insurance is not meant to be a substitute for data protection and security policies.  In fact, before underwriting a policy, an insurance company will be hyper vigilant in determining that their customers have proper protections and policies in place since the insurance company will want to reduce its own risk. And since insurance has been a positive influence on other industries to improve performance and safety due to risk mitigation, the theory is if a company has cyber insurance, the hope is they will implement proper preventative measures to ensure that they will never have to use it. Learn more about our Data Breach solutions  1http://www3.cfo.com/article/2013/4/data-security_cyber-attacks-cybersecurity-liability-insurance-smb-growth-companies-risk-hogan-lovells

Outsourcing can be risky business. The Ponemon Institute reports that 65% of companies who outsourced work to a vendor have had a data breach involving consumer data and 64% say it has happened more than once.  Their study, Securing Outsourced Consumer Data, sponsored by Experian® Data Breach Resolution also found that the most common cause for breaches were negligence and lost or stolen devices. Despite the gravity of these errors, only 38 percent of businesses asked their vendor to fix the problems that led to the breach and surprisingly, 56% of the companies learned about the data breach accidentally instead of through security protocols and control procedures. These findings come from a survey of 748 people in a supervisory (or higher) job who work in vendor management at companies that share or transfer consumer data mainly for marketing, finance and outsourced IT operations including cloud services and payment processing.  The survey also polled the vendors and 57% of them reported that they in turn, outsourced work to a third party.  23% of vendors could not tell how often data loss happened which is a sign that they don’t have proper procedures and policies in place to know when incidents occur.  When asked about their data breach notification practices, only 16 percent of vendors said they immediately notified their client after the breach investigation with 25 percent saying they don’t even tell clients about breaches of data.   Keeping all work and information in house is not feasible in today’s multi-corporate companies, and outsourcing is a business reality, however, all parties have a responsibility to protect the sensitive and confidential data that is entrusted to them.  When outsourcing consumer data to vendors, here are a few guidelines companies need to follow to safeguard the information: 1. Make sure you hold vendors to the same security standards as your own in-house security policies and practices. 2. Make sure the vendor has appropriate security and controls procedures in place to monitor potential threats. 3. Audit the vendor’s security and privacy practices and make sure in your contract with them, the vendor is legally obligated to fix data problems should a breach occur including notifying consumers. 4. Monitor the security and privacy practices of vendors you work with especially if you share consumer data with them. 5. Require background checks for vendor employees who have access to confidential information. The goal of this study was to better understand what companies are doing to protect consumer data they outsource and where improvements could be made to insure privacy and security when sharing private information with third parties.  The solution seems to be that all parties must first agree that data privacy and protection is paramount and then work toward the mutual goal of achieving responsible privacy and security practices. Download the Securing Outsourced Consumer Data report