With the end of the year fast approaching, now is an apt time to reflect back on 2014 and look ahead to what’s to come next year. For the data breach industry, 2014 was an explosive year with nearly half of all organizations suffering at least one data breach – up 10 percent from the year prior. This has resulted in companies taking positive initial steps to prepare for a breach, but much remains to be done.
To help businesses prepare for what is on the horizon, Experian Data Breach Resolution has developed six key predictions about how the data breach industry will evolve in 2015. These predictions are based on experience helping more than 3,000 companies manage breaches of all types in 2014 and conversations with leaders across the security landscape.
For more guidance on how to prepare for a data breach, you can also download the Experian Data Breach Response Guide, available for free at: http://www.experian.com/data-breach/2014-2015-response-guide.html.
The 2015 Data Breach Landscape
Click through for a closer look at data breaches in 2014, as well as what’s ahead for 2015, as identified by Michael Bruemmer, vice president, Experian Data Breach Resolution.
Changing State of Retail Breaches
With the imminent adoption requirement for EMV “chip and PIN” technology in the United States in October 2015, the window may be closing for hackers to easily profit from point-of-sale attacks on brick-and-mortar retailers. Today, U.S.-based retailers face a perfect storm of having information that is an attractive target to attackers and the availability of malware capable of compromising payment systems being sold on the black market. Expect a continued influx of payment breaches in the near term before the new system is implemented late next year.
In the interim, larger retailers will continue to take steps to harden their systems to be less vulnerable to attacks. However, despite increased security efforts, attackers may look for new ways to compromise these companies given how profitable the payoff can be. IT security professionals should be wary of the potential for the new infrastructure to create a false sense of security for their colleagues and consumers.
More Hackers Will Target Cloud Data
Cloud services have been beneficial to both consumers and business productivity. However, as more information gets stored in the cloud and consumers rely on online services for everything from mobile payments and banking to photo editing and commerce, they become a more attractive target for attackers. In fact, a recent study from Juniper Networks and the RAND Corporation found a Twitter account is worth more on the black market than a credit card number.
Beyond online credentials, loss of other personal information remains concerning if still underreported. Breached emails often lead to spear phishing attacks or spam and the loss of personal information like name, address, date of birth and Social Security numbers can be used as part of synthetic identity theft.
Health Care Breaches Will Persist
Health care breaches are expected to persist in 2015 due to multiple vulnerabilities and the high value of protected health information (PHI) on the black market. Health care organizations face the challenge of securing a significant amount of sensitive information stored on their network which, combined with the value of a medical identity string, makes them an attractive target for cyber criminals. The problem is further exasperated by the fact that many doctors’ offices, clinics and hospitals may not have enough resources to safeguard their patients’ PHI. In fact, an individual’s Medicare card — often carried in wallets for doctors’ visits — contains valuable information like a person’s Social Security number (SSN) that can be used for fraud if in the wrong hands. Currently, Experian Data Breach Resolution is not aware of any federal or law enforcement agency that tracks data on SSN theft from Medicare cards, but the problem is widely acknowledged.
This year, Reuters reported that the FBI released a private notice to the health care industry warning providers that their cybersecurity systems are lax compared to other sectors. A memo reportedly stated, “the healthcare industry is not as resilient to cyber intrusions compared to financial and retail sectors, therefore the possibilities of increased cyber intrusions is likely.” According to the Ponemon Institute, 72 percent of health care organizations say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data shared on health information exchanges (HIEs).
Business Leaders Will Be Held Under the Microscope
Where previously IT departments were responsible for explaining security incidents, cyber attacks have expanded from a tech problem to a corporate-wide issue. With this shift, business leaders are being held directly accountable for data breaches.
Looking ahead, senior executives will be expected to have a better understanding of the data breach response plan, comprehension of new technologies and security protocols in the workplace, and a clearly defined chain of response should a breach occur. This often doesn’t exist today. According to a recent survey by the Ponemon Institute, 17 percent of senior executives are currently not aware of whether or not their organization had suffered a data breach in the last year.
Employees Remain Companies’ Biggest Threat
Although there is heightened sensitivity for cyber attacks amongst security professionals, a majority of companies will miss the mark on the largest threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. Employees and negligence are the leading cause of security incidents but remain the least reported issue. According to industry research, this represented 59 percent of security incidents in the last year.
In 2015, security investments will favor new technologies capable of helping better prevent intrusions and the exfiltration of data from attackers. Currently, only 54 percent of organizations report they conduct security awareness training for employees and other stakeholders who have access to sensitive or confidential personal information. Making a significant dent in the number of breaches in 2015 will require companies to pay more attention to raising the security intelligence of employees.
Rise in Third-Party Breaches via the Internet of Things
Technology advancements mean the Internet of Things (IoT) is changing how people interact with everyday items. According to Gartner, the IoT will grow to 26 billion units installed in 2020, representing an almost 30-fold increase from 0.9 billion in 2009. With more companies looking to leverage the IoT by gathering, storing and processing data from billions of objects and devices, there are more points of vulnerability for this information to be targeted by hackers. As a result, an increase is expected in cyber attack campaigns initiated by IoT-compromised devices and interconnected systems adopted by organizations, including everything from sensor networks and work meters to consumer devices such as routers and NAS storage.
As companies adopt more interconnected products and systems, the IoT could usher in the next wave of large third-party breaches. Security professionals at companies using IoT data must emphasize risk management and security with third-party vendors that provide or have access to the same information.