Data Breach

Late last year, our Third Annual Data Breach Industry Forecast predicted cybercriminals would continue to focus their attacks on healthcare institutions, inspired by the knowledge that the black market value of medical records continues to surpass the value of credit card numbers. Industry experts we interviewed also predicted employee missteps would be a source of healthcare breaches. Entering the final quarter of 2016, our prediction is playing out in the numbers; nearly half of all consumers affected by a data breach so far this year had their personal information exposed through a healthcare-related incident, according to information compiled by the Identity Theft Resource Center. In the first three quarters of the year, 256 medical and healthcare data breaches exposed more than 13.5 million records, the highest number of any sector the ITRC tracks. Records compromised in a healthcare breach accounted for 47.2 percent of all affected records in 2016. The healthcare sector has been a hotbed of attacks throughout the year, largely due to the continued value of medical records sold on the dark web. These records can be used for far more than just filing fraudulent medical claims. One lucrative use is filing fraudulent tax returns. CNBC reported the IRS expects, and has been bracing for, an increase in tax fraud linked to the high number of medical breaches this year. It’s easy to understand why medical records can be so profitable for hackers. While financial accounts such as credit cards may contain a limited amount of personal information, medical records are much more comprehensive. Typically, they contain a wealth of information far beyond mere account numbers. In addition to names, addresses and birth dates, medical records often contain Social Security numbers, which healthcare providers may use as patient identifiers. The employee factor Many of the mega-breaches of 2015 occurred through digital routes that the average consumer would find downright arcane. In 2016, we’ve seen an increase in smaller attacks with mundane origins such as stolen hardware, poorly secured employee email accounts or phishing attacks. Consider these examples reported in the HIPAA Journal: Four staff email accounts were compromised in a phishing attack on employees at City of Hope Hospital in California. To put it more bluntly, four hospital employees fell for scam emails and the result was, as ITRC reports, the exposure of more than 1,000 patient records. More than 200,000 patients of Premier Healthcare in Bloomington, Indiana, received notification letters after a password-protected but unencrypted laptop was stolen from the hospital’s billing department. A St. Louis, Missouri, not-for-profit healthcare system, BJC Healthcare, had to notify more than 2,300 patients their information was exposed after an employee mistakenly sent an email containing protected information to another medical organization. For healthcare institutions, the takeaway from 2016 should be the need to remain vigilant and proactive regarding the many ways in which data breaches can occur. While 2015 was the year of healthcare mega-breaches, 2016 has seen the emergence of smaller breaches that still have the potential to cause significant harm to organizations and patients. Learn more about our Data Breach solutions

What keeps your cyber security team up at night, and does it weigh equally on the minds of managers? Do they lose sleep worrying about malicious attacks from outside your organization? Or do they fear a careless employee will leave a laptop in an unlocked car or use an unsecured personal mobile device to access proprietary company information? Employee-related security risks are the top concern for security professionals, our new study, Managing Insider Risk Through Training & Culture, found. The Ponemon Institute polled more than 600 information security professionals at companies that have a data protection and privacy training program. The study found that while 55 percent of those surveyed have already had a malicious or negligent employee cause a security incident, few are taking adequate steps to improve security from within. Not on the same page One reason for this could be the imbalance between how the IT department perceives employee risk and how the C-suite does. While 66 percent of security professionals view employee-related risk as the biggest security threat, just 35 percent of them say their senior managers share that view. They may also feel less able to catch slip-ups versus intentional acts; security pros are far more concerned that an employee will unintentionally cause an incident than they are about workers potentially perpetrating malicious attacks. Often, companies focus their cyber security efforts on preventing, catching and remedying intentional attacks. And while they can do much to reduce the risk of employees unintentionally causing an incident, few companies are doing everything they can. Less than half (46 percent) of the surveyed companies require cyber security training for all employees, and 60 percent don’t make employees retrain after a data breach. Actionable suggestions for teachable moments The problem of employee-related security risks is not unsolvable. Companies need to take steps to create a culture of security at every level of their organizations. These steps should include: Requiring mandatory advanced-level training for all full and part-time employees and contract workers. Typically, companies that do provide training don’t require it for all employees, or they take a tiered approach that fails to provide all employees with a comprehensive understanding of the risks. Our study found just 43 percent of companies provide only one basic course for all employees. Basic courses often omit significant risks that can lead to a data breach. What’s more, retraining needs to occur on an ongoing basis, as new threats emerge in the cyber security realm. Retraining is especially important following a breach, when employees’ awareness of cyber security risks is highest. Establishing and enforcing a system of carrots and sticks. More than half (56 percent) of companies deal with an employee’s careless handling of data by having that employee meet one-on-one with a superior, and 51 percent have them meet with an IT security person. Less than half (45 percent) give formal reprimands, 19 percent demote the employee, and 16 percent cut salary, bonuses or incentives. However, sticks are only half the solution. Companies also need to incentivize employees to be cognizant of cyber security and few are doing a good job of it. In fact, 67 percent do nothing at all to encourage employees to proactively protect data. Employees should be a company’s greatest asset. With the right training and an ongoing emphasis on cyber security, every member of your corporate team can help reduce your organization’s risk of a negligence-related cyber security incident. Download the report

I am pleased to share the news on this blog that Experian has signed a definitive agreement to acquire CSIdentity Corporation (CSID), a leading provider of consumer identity management and fraud detection services. For the Data Breach Resolution group in particular, this is a major development. It will enhance our capabilities to provide best-in-class identity theft protection services to our clients who have suffered a data breach. When breaches occur, they not only affect the company but also the consumers whose personal information was exposed.  It’s imperative that organizations offer quality protection in the aftermath. With CSID, we can now offer more flexible and tailored product configurations to meet client needs. The acquisition also expands our footprint globally for U.S. companies who have an international reach. Unfortunately, data breaches will continue to occur. Companies must prepare and enlist the best partners to help them through the process. We feel this makes us an even better leader in the industry. For additional details, read our press release. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches.

What difference does $4.40 make? It can’t buy you much on its own, but it can make a world of difference when you’re handling the aftermath of a data breach or other cyberattack. That’s how much cyber insurance protection reduces the per-record cost of a data breach, according to the Ponemon Institute’s 2015 Cost of a Data Breach report. Whether you’re a small business owner with just a few hundred customers or a global corporation with records in the millions, the cost of being without cyber insurance in the wake of an incident can be extreme. When you consider the sheer number of records involved in recent mega-breaches — more than 78 million in the Anthem breach alone — the cost reduction can easily soar into hundreds of million dollars saved. And while smaller businesses may have fewer records to be breached, the impact of an attack can be even more devastating to them than to global entities when they experience a mega-breach. Yet less than one-third (32 percent) of businesses surveyed for Ponemon’s study reported having cyber insurance. The percentage was a bit better when the Risk Management Society (RIMS) asked 284 of its members about cyber insurance; 51 percent reported having stand-alone cyber insurance policies. Even fewer small businesses report having cyber insurance. Just 5 percent of small business owners surveyed by Endurance International Group said they carried cyber insurance, despite 81 percent believing cybersecurity is a concern for small business. Those who have cyber insurance clearly understand its value. RIMS members said they bought policies to: Reduce the risk of an incident damaging their company’s reputation (79 percent). Minimize the potential impact of business interruption (78 percent). Aid in data breach response and notification (73 percent). What’s more, of the RIMS members who didn’t have cyber insurance, 74 percent said they were considering buying it within the next 12–24 months. While small business owners also appear aware of the risk, they seem less cognizant of the benefits of cyber insurance and other cybersecurity measures. Endurance found that although 94 percent of small business owners said they do think about cybersecurity issues, and nearly a third have experienced an attack or an attempt, just 42 percent have invested in cybersecurity in the past year. A widely reported study by the National Cyber Security Alliance asserts that 60 percent of small businesses that experience a data breach go out of business within six months. Cyber insurance premiums vary widely and are largely tied to a company’s revenues and exposure. Policies typically aim to address risks commonly associated with a cyberattack, including: Liability for loss of confidential information that occurs through unauthorized access to a company’s computer systems. Data breach costs including notification of affected consumers, customer support and providing credit monitoring to affected customers. The costs of restoring, improving or replacing compromised technologies. Regulatory compliance costs. Business interruption expenses. Of course, like virtually any other type of insurance, cyber insurance policies can be customized to address the risks facing the individual policy holder. Many in the insurance industry feel that cyber insurance products have matured, evolving into a type of protection that businesses both large and small simply can’t afford to do without. When you consider the devastating risk of facing a cyberattack without insurance, that simple per-record cost savings of just $4.40 takes on a much deeper meaning. While more large companies are seeing the value of cyber insurance, small business owners need to begin incorporating this valuable type of protection into their overall cyber security plans. Learn more about our Data Breach solutions

Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks. The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012. And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach. Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures. Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach: A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats. About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs. Only 29 percent of companies involve the CEO in dealing with security risks. Nearly three-quarters don’t have cyber insurance policies. Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident. Less than a third had SIEM systems to facilitate early detection of an incident. 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices. Those who have made provisions don’t necessarily feel more secure because of them: 62 percent don’t feel their organizations are prepared to respond to a data breach. 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators. Just a quarter were confident they could communicate about a breach and manage customer needs. 40 percent worry about the potential for a third party losing their data. Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns. As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach. Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis.  It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time.  When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response. Learn more about our Data Breach solutions

Data breach notification letters serve multiple purposes. They ensure a breached company is compliant with data breach notification laws, they alert consumers to the breach and their involvement in it, they can warn customers of potential identity theft risks and educate them on how to cope with those risks. The one thing no company wants its notification letter to do, however, is make the recipients any more upset than they already are. Yet that’s the reaction many consumers reported upon having received data breach notification letters, according to the study “The Aftermath of a Mega Data Breach: Consumer Sentiment.” Conducted by the Ponemon Institute on behalf of Experian Data Breach Resolution, the study provides some eye-opening insights into how consumers feel and what they do after receiving a breach notification letter. To put consumer sentiment in perspective, consider these revelations from the study: Among those polled, 63% said they felt the breached company should offer consumers identity theft protection by way of compensation, yet just 25% of people who had received a notification letter said were offered identity theft protection in that letter. The financial impact of the data breach was less significant for consumers than the emotional aspects. 81% of data breach victims said they had not out-of-pocket costs because of the breach. Conversely, 76% said they experienced stress as a result of the breach. Consumers ranked a data breach as the third-most damaging event for a company’s reputation. Only poor customer service and an environmental incident (e.g. an oil spill or pollution) were seen as more damaging. Other than getting stressed, what, then, do consumers do after they’ve received a data breach notification letter? Most do little or nothing at all, which should be just as concerning to companies as the customers who end their business relationship with a company in the wake of a data breach. More than half (55%) said they did nothing to protect their identities after receiving a notification letter, and 32% ignored the notifications and did nothing at all. This may seem counter-intuitive considering that the majority (77%) were at least somewhat to very concerned about becoming an identity theft victim because of the breach. Perhaps if these customers had been offered free identity theft protection in the notification letter, they would have accepted the offer. These survey results underscore the need for companies to send strong, informative and compassionate data breach notification letters – and to offer consumers identity theft protection as part of the company’s data breach response. Learn more about our Data Breach solutions

When a data breach occurs, laws and industry regulations, dictate when and if you need to notify consumers whose data might have been compromised. However, many consumers would also probably argue that you’re morally obligated, to notify them of data loss; they want you to tell them of the breach and to do so in a courteous, straightforward manner. Because of this, a breach notification letter is an integral piece of a firm’s breach response as these often are the first inkling consumers have that their information may have been compromised, and their identities might be at risk. It’s imperative those letters be efficient, effective – and perhaps most importantly – humane. A 2014 study by the Ponemon Institute and Experian Data Breach Resolution indicates consumers feel there’s room for improvement in data breach notification letters. The survey polled people who had received a data breach notification letter. Sixty-seven percent of those surveyed said they want letters to better explain the risks and potential harms they may face as a result of the breach, 56 want the letter to disclose all the facts, and a third didn’t want the letter to “sugar-coat” the situation. A quarter wanted the letters to be more personal. The Experian Data Breach Resolution team has vast experience with breach notification letters and data breach notification regulations. In our experience, here are the five most common and egregious errors to avoid when sending a data breach notification letter: 1. Keeping the consumer in the dark about the details. Customers will want to know what information was compromised in the breach. Was it their Social Security number? A credit card number? Their home address? Consumers can’t protect themselves from further harm if they don’t know exactly what’s at risk. Don’t leave them guessing. Tell consumers exactly what information was compromised in the breach. 2. Speaking “legalese.” Reverting to legalese – highly complex verbiage largely understandable only to lawyers – is a defense mechanism for companies, and it doesn’t really help the consumer. Twenty-three percent of those polled by Ponemon said the letter they received would have been better if it had less legal or technical language. Keep letters short, factual and simply worded so that the average Joe or Jane can understand them. 3. Leaving out the ramifications and risks. It’s not enough to simply tell consumers they’ve been involved in a breach. It’s not even enough to tell them what information has been compromised. To truly empower them to protect themselves from further harm, you need to alert consumers to what those risks may be. Consider the type of data that was lost, then explain the risks that can be associated with that type of data loss. 4. Failing to offer an olive branch. Whether the breach was your fault or not, consumers will hold you responsible and they will feel they should get some kind of compensation for all the grief the breach will cause them. Providing breached customers with an identity protection product not only helps protect them, but it shields your company’s reputation, too. In the Ponemon study, 67 percent of consumers said they felt companies should offer some form of compensation – whether cash, product or service – to consumers caught in a data breach. Sixty-three percent said the company should offer them free identity theft protection and 58 percent wanted free credit monitoring.  Interestingly, 43 percent also said a sincere and personal apology might help convince them to keep their business with the breached organization.. 5. Failing to seize the chance to rebuild trust. There’s no question that a data breach undermines customer trust. Some customers will leave a breached company. Among polled customers who remained with the breached company, inertia seemed a major factor in their decision not to go elsewhere; 67 percent said they stayed simply because it was too difficult to find someone else to offer the same products or services. Less than half (45 percent) said they stayed because they were happy with how the company handled the data breach. Breach letters are actually an opportunity to begin rebuilding trust. Explain to consumers what you’re doing to reduce the risk of future breaches, and how you’re taking steps to help protect them from further harm. Despite your best efforts, a data breach can occur. When it does, the data breach notification letter is your all-important point of first contact with affected consumers. Craft it well and the letter can be a valuable tool for mitigating reputation damage and rebuilding trust. Learn more from our Knowledge Center

An employee who never uses a mobile device – personal or company-supplied – for business purposes is becoming a rare creature, indeed. Use of mobile devices is prevalent across virtually every industry, and the convenience and flexibility these devices offer professionals can be great for business. Provided, that is, those devices are secure. Mobile devices continue to be a significant source of data breaches, and a particular concern for anyone engaged in cyber security, according to eSecurity Planet’s Data Breach Roundup. Mobile-related data breaches stem from a range of circumstances, including loss or theft of devices, failure to use anti-malware, or failing to password-protect a device being used for business purposes. Devices can put your data at risk if an employee stores any proprietary information on a mobile device, or if workers use unsecured devices to access your network – even if you’ve taken steps to secure the network itself. Managing mobile devices can be one of the most challenging aspects of your overall cyber security program, but it’s imperative and – fortunately – not impossible. Minimizing mobile device risks CTIA, The Wireless Association, offers some guidelines for mobile device cyber security in its whitepaper “Today’s Mobile Cybersecurity: Blueprint for the Future.” The organization points to five cornerstones of mobile cyber security: Education about the importance of mobile security Devices with security features like anti-malware and anti-spam settings Strong, enforced network security policies Authentication for all network users Secure connections, from cloud to network Many tools exist to help your organization ensure secure footing on each of those cornerstones. CTIA cites options like risk management, security policies and monitoring. We would add to that list, and emphasize the importance of a data breach response plan that addresses the specific challenges and risks associated with a mobile-spurred data breach incident. While your organization can take strong, reasoned steps toward minimizing risks, it’s equally important to be ready to respond when a breach occurs. Mobile device security is sure to be a growing issue throughout 2014, as more people than ever use smartphones, tablets and other mobile devices to work more efficiently. With the right precautions, you can help ensure your employees work safely, as well. Learn more about our Data Breach solutions

The purpose of any type of insurance is to protect your most valuable assets. To combat the prevalence of cyber attacks and data breaches, an increasing number of businesses in the health-care, financial services and technology industries have purchased cyber insurance policies to protect themselves from the crippling cost of a data breach.  This is especially popular among start-up tech companies in Silicon Valley in order to safeguard their intellectual property (IP) since their IP is the backbone of their livelihood1.  Since small businesses generally don’t have a risk manager and IT department dedicated to data security, a good cyber insurance policy can help mitigate cyber security risks. Although accepted in some sectors, cyber insurance is still not an established part of many companies’ IT data security strategies.  This is commonly due to a lack of agreed risk management standards and the challenge of substantiating and quantifying losses, in addition to finding objective data to back up cyber insurance claims.  Some security experts feel that the federal government needs to kick start growth in this market by requiring government contractors to purchase cyber insurance to set a standard for other businesses, sending a message that any company who has cyber security insurance is a signal that the company is competently managing its data security. As the cyber insurance industry evolves, here is a list of what the policies generally cover and what to look for: First-party claims – Costs incurred by the loss of trade secrets and intellectual property. Third-party claims – Damages a business must pay to customers who sue them for lost or compromised personal information. Business interruption coverage – In the event a data breach incident prevents the company from operating or functioning, the company would receive payment reimbursement for expenses incurred due to loss of business. A forensic IT investigation – Policies can cover the cost of an examination into how the data breach occurred and some may even cover the costs of regulatory fines and penalties in addition to the crisis management control which includes data breach notification letters. Security professionals stress that cyber insurance is not meant to be a substitute for data protection and security policies.  In fact, before underwriting a policy, an insurance company will be hyper vigilant in determining that their customers have proper protections and policies in place since the insurance company will want to reduce its own risk. And since insurance has been a positive influence on other industries to improve performance and safety due to risk mitigation, the theory is if a company has cyber insurance, the hope is they will implement proper preventative measures to ensure that they will never have to use it. Learn more about our Data Breach solutions  1http://www3.cfo.com/article/2013/4/data-security_cyber-attacks-cybersecurity-liability-insurance-smb-growth-companies-risk-hogan-lovells

Outsourcing can be risky business. The Ponemon Institute reports that 65% of companies who outsourced work to a vendor have had a data breach involving consumer data and 64% say it has happened more than once.  Their study, Securing Outsourced Consumer Data, sponsored by Experian® Data Breach Resolution also found that the most common cause for breaches were negligence and lost or stolen devices. Despite the gravity of these errors, only 38 percent of businesses asked their vendor to fix the problems that led to the breach and surprisingly, 56% of the companies learned about the data breach accidentally instead of through security protocols and control procedures. These findings come from a survey of 748 people in a supervisory (or higher) job who work in vendor management at companies that share or transfer consumer data mainly for marketing, finance and outsourced IT operations including cloud services and payment processing.  The survey also polled the vendors and 57% of them reported that they in turn, outsourced work to a third party.  23% of vendors could not tell how often data loss happened which is a sign that they don’t have proper procedures and policies in place to know when incidents occur.  When asked about their data breach notification practices, only 16 percent of vendors said they immediately notified their client after the breach investigation with 25 percent saying they don’t even tell clients about breaches of data.   Keeping all work and information in house is not feasible in today’s multi-corporate companies, and outsourcing is a business reality, however, all parties have a responsibility to protect the sensitive and confidential data that is entrusted to them.  When outsourcing consumer data to vendors, here are a few guidelines companies need to follow to safeguard the information: 1. Make sure you hold vendors to the same security standards as your own in-house security policies and practices. 2. Make sure the vendor has appropriate security and controls procedures in place to monitor potential threats. 3. Audit the vendor’s security and privacy practices and make sure in your contract with them, the vendor is legally obligated to fix data problems should a breach occur including notifying consumers. 4. Monitor the security and privacy practices of vendors you work with especially if you share consumer data with them. 5. Require background checks for vendor employees who have access to confidential information. The goal of this study was to better understand what companies are doing to protect consumer data they outsource and where improvements could be made to insure privacy and security when sharing private information with third parties.  The solution seems to be that all parties must first agree that data privacy and protection is paramount and then work toward the mutual goal of achieving responsible privacy and security practices. Download the Securing Outsourced Consumer Data report

In today’s data driven world, information is king. So if you are not armed with the same information as your competitor or worse, experience a data breach, an information imbalance can occur that puts you at a disadvantage. In the public sector, an information imbalance is also known as an “asymmetric threat” and can dramatically threaten a country’s national security.  The most famous recent example of an asymmetric threat experienced by the United States is 9/11.  The 9/11 Commission Report found that the U.S. government had enough intelligence to reveal Al-Qaeda’s plot but due to a deficient process that prevented information to be connected and shared properly between its intelligence and national security departments, the U.S. was unable to stop Al-Qaeda’s horrific acts of terrorism.  These findings prompted the U.S. government to change how it collects, processes and analyzes information resulting in technical and behavioral modifications especially regarding cybersecurity issues.  In addition, in order to address the problems of information imbalances, the U.S. military devised a policy called “Information Superiority,” defined by The Department of Defense (DoD) as “the ability to develop and use information while denying an adversary the same capability.”  Basically, having access to more information than your enemy and possessing the ability to use that information to your advantage. The goal of achieving Information Superiority is to gather intelligence that can then be used to execute in ways that will put you in an advantageous position. The public sector’s adoption of Information Superiority can be duplicated in the private sector especially as businesses recognize the competitive edge of gathering information on their competition. By using the concept of Information Superiority, companies can adopt methods of gathering information and sharing it with the right people at the right time to create a competitive advantage.  Employing Information Superiority policies similar to the ones used in the public sector can also help businesses achieve important goals such as increasing profits and reducing costs because when executives have  access to consumer data and other forms of intellectual property, they can make better informed fiscal decisions.  Information Superiority can also help businesses optimize risk and reduce the impact of cyber-threats.  By identifying where their most sensitive data resides, companies can design data protection and security systems to ward off cybersecurity threats. These are just some examples to illustrate how Information Superiority can benefit the private sector. The bottom line is companies that proactively collect and use information to ward off threats, will ultimately outperform their competitors. Learn more about our Data Breach solutions

While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use.  With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy.  However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization.  Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level.  If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services. Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen.  Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices.  The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines. Unfortunately, this troubling trend doesn’t just affect the medical industry.  In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats. Download our Free Data Breach Response Guide Key statistics from the survey: 84 percent use the same smartphone for personal and work usage. 47 percent don’t have a password on their mobile phone. 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen. 49 percent said their IT departments have not discussed mobile/cyber security with them. Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach.  As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs.  Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.

Within the world of cyber security, a great deal of attention has been focused lately on the escalating hazards and frequency of data breaches, with considerable discussion on the high cost of such breaches.  But as the industry has assessed the financial toll of breaches, it has never taken into account how data breaches harm reputations, brand image, and consequently a company's bottom line. Until now. A recently released Ponemon Institute study, sponsored by Experian’s Data Breach Resolution and believed to be the first of its kind, explores the “Reputation Impact of a Data Breach” to provide more context for the full scope of data breaches.  The findings draw enlightening conclusions around the financial toll that data breaches wreak upon harmed corporate reputations, including these key takeaways: Reputation is one of an organization’s most important and valuable assets. Reputation and brand image are perceived as very valuable…and highly vulnerable to negative events, including a data breach. Calculating the value of reputation and brand reveals how valuable these assets are to an organization. The average value of brand and reputation for the study’s participating organizations was determined to be approximately $1.5 billion.  Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $330 million. Depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to 31 percent. Not all data breaches are equal. Some breaches are more devastating than others to an organization’s reputation and brand image, with the loss or theft of customer information ranked as the most devastating (followed by confidential financial business information and confidential non-financial business information). Data breaches occur in most organizations represented in this study and have at least a moderate or a significant impact on reputation and brand image. According to 82 percent of respondents, their organizations had a data breach involving sensitive or confidential information.  Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant. Most organizations in the study have had a data breach involving the theft of sensitive or confidential business information. On average these types of breaches have occurred 2.9 times in surveyed organizations, with the theft or loss of confidential financial information having the most significant impact on reputation and brand. Respondents strongly believe in understanding the root cause of the breach and protecting victims from identity theft. When asked what their organizations did following a breach to preserve or restore brand and reputation, the top three steps are: conduct investigations and forensics, work closely with law enforcement and protect those affected from potential harms such as identity theft. The Ponemon study clearly shows that when data breaches occur, the collateral damage of a company’s brand and reputation become significant hard costs that must be factored into the total financial loss. Download the Ponemon Reputation Impact Study

Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm. The rash of large-scale data breaches in the news this year begs many questions, one of which is this: how do hackers select their victims? The answer: research. Hackers do their homework; in fact, an actual hack typically takes place only after many hours of first studying the target. Here’s an inside look at a hacker in action: Using search queries through such resources as Google and job sites, the hacker creates an initial map of the target’s vulnerabilities.  For example, job sites can offer a wealth of information such as hardware and software platform usage, including specific versions and its use within the enterprise. The hacker fills out the map with a complete intelligence database on your company, perhaps using public sources such as government databases, financial filings and court records. Attackers want to understand such details as how much you spend on security each year, other breaches you’ve suffered, and whether you’re using LDAP or federated authentication systems. The hacker tries to identify the person in charge of your security efforts.  As they research your Chief Security Officer or Chief Intelligence Security Officer (who they report to, conferences attended, talks given, media interviews, etc.) hackers can get a sense of whether this person is a political player or a security architect, and can infer the target’s philosophical stance on security and where they’re spending time and attention within the enterprise. Next, hackers look for business partners, strategic customers and suppliers used by the target.  Sometimes it may be easier to attack a smaller business partner than the target itself.  Once again, this information comes from basic search engine queries; attackers use job sites and corporate career sites to build a basic map of the target’s network. Once assembled, all of this information offers a list of potential and likely egress points within the target. While there is little you can do to prevent hackers from researching your company, you can reduce the threat this poses by conducting the same research yourself.  Though the process is a bit tedious to learn, it is free to use; you are simply conducting competitive intelligence upon your own enterprise.  By reviewing your own information, you can draw similar conclusions to the attackers, allowing you to strengthen those areas of your business that may be at risk. For example, if you want to understand which of your web portals may be exposed to hackers, use the following search term in Google: “site:yourcompanyname.com – www.yourcompanyname.com” This query specifies that you want to see everything on your site except WWW sites.  Web portals do not typically start with WWW and this query will show “eportal.yourcompanyname, ecomm.yourcompanyname.” Portals are a great place to start as they usually contain associated user names and passwords;   this means that a database is storing these credentials, which is a potential goldmine for attackers.  You can set up a Google Alert to constantly watch for new portals; simply type in your query, select how often you want updates, and Google will send you an alert every time a new portal shows up in its results. Knowledge is power.  The more you know about your own business, the better you can protect it from becoming prey to hacker-hawks circling in cyberspace. Download our free Data Breach Response Guide

It seems as though every day the news headlines trumpet another high-profile data breach.  The most recent marquee breach is courtesy of a Sony PlayStation Network hacker, whose attack on the Sony and Qriocity servers between April 17th and 19th have compromised the personal data and, possibly, stored credit card information of 77 million players.  (Yes, you read that right; 77 million.)  Combine that with other recent cyber-heists affecting millions of unsuspecting consumers or residents, and many organizations have been forced to send out a dizzying array of email notifications to their customer base, many – if not all – of whom are now vulnerable to spear-phishing attacks. With numerous different breaches affecting so many people as of late, millions of consumers are receiving emails from trusted brands noting that customer emails (and perhaps other information) have been compromised, so consumers should be wary of future emails that may appear to be sent from them…like the one they’re reading now. Got that? This begs the question of whether customers are starting to tune out to the onslaught of breach alerts flooding their email in-boxes. Some security gurus believe that notifications aren’t effective and customers become numb to these alerts.  Others are convinced that breach information overload is a good thing, educating people to the dangers lurking in the cybershadows and their vulnerability to identity thieves.  After all, how do you know to watch out for email “bait” if you’re not aware there’s a phishing hook with your name on it? Furthermore, the flip side of over-notification is under-notification.  This is something that Sony is now being accused of in a lawsuit that claims the company waited too long to notify its PlayStation customers of the recent breach, which only exacerbated customer vulnerability to credit card fraud. The irony is that while the dramatic breaches of late have been stealing headlines (as well as data), a 2011 Data Breaches Investigations Report by Verizon indicates that total thefts from data breaches have in fact declined significantly over the past few years.  The total number of records actually compromised from these breaches was a “mere” 4 million in 2010, quite a drop from the 144 million records compromised in 2009, and the 361 million compromised records in 2008.  The bad news?  If you look at actual data breaches versus compromised records, the numbers this year are up; 760 breaches last year, an increase from 141 in 2009. The bottom line: while fraudsters haven’t been able to recently score as much cyber-loot as in times past, this is no time to relax. Just be aware that with the steep increase in breaches comes an equally steep increase in breach notifications, and the associated risk that breach notification fatigue will put your customers to sleep. Learn more about our Data Breach solutions