Over the past year, the frequency and sophistication of security incidents advanced at what felt like breakneck speed. With more and more information shared and hosted online, it is essential that companies shore up their data breach preparedness.
So as we head into 2016, it is important that business leaders take note of emerging data breach trends and update their response plans accordingly. While traditional data breach threats remain, the landscape has changed with some hackers now targeting organizations for different types of information that could be used for extortion or cause reputational harm.
To help organizations prepare, outlined below are five predictions from our Data Breach Industry Forecast for what we can expect in 2016.
1). The EMV Chip and PIN liability shift will not stop payment breaches.
October 1, 2015 marked the official liability shift date for U.S. vendors to adopt EMV chip and PIN compatible payment terminals, but only half of executives in the payments sector believe chip and PIN will actually decrease the risk of a breach. Why? Executives are skeptical because the value of payments data is incredibly high. When attackers are faced with a road block – like EMV chip and PIN – it is likely they will look for other ways to steal this information that doesn’t involve point-of-sale systems. For example, the European Union adopted EMV years ago but instead of completely deterring payment breaches, the shift simply inspired hackers to focus on online transactions where cards don’t need to be present.
It is important for companies and consumers alike to realize new payment technologies are not a silver bullet for payment-related breaches and fraud. If anything, it’s possible that retail e-commerce sites will bring the next wave of attacks. We’ve already started to see glimpses of this with the recent attacks on online photo services from retailers.
2). Big healthcare hacks will make the headlines but small breaches will cause the most damage.
While large breaches may be compromising millions of people’s records in one fell swoop, smaller healthcare incidents will actually cause more damage collectively. These breaches are often caused by employee negligence and mishandling of paper records.
This trend is driven by the high value compromised data can command on the black market, and the continued digitization and sharing of medical records. Medical records are worth up to 10 times more than credit card numbers on the black market, and smaller healthcare organizations are appealing targets for hackers because they are less likely to have complex security and privacy preparedness systems in place. It’s important that health organizations not only continue to invest in up-to-date security technologies, but also focus on training employees on proper data handling practices on a regular basis.
3). Cyber conflicts between countries will leave consumers and businesses as collateral damage.
As nation-states continue to move their conflicts and espionage efforts to the digital world, we are likely to see more incidents aimed at stealing corporate and government secrets or disrupting military operations. For example, the U.S. Director of National Intelligence ranks cybercrime as the top national security threat, ahead of terrorism, espionage and weapons of mass destruction.
What’s alarming here is that according to research from The Wall Street Journal, more than 60 countries have or are developing tools for computer espionage and attacks, and 29 countries now have formal military or intelligence units dedicated to cyber efforts. Looking ahead, we could see an increase in large public sector data breaches that may expose millions of personal records in the process, similar to the Office of Personnel Management breach earlier this year.
4). 2016 U.S. presidential candidates and campaigns will be attractive hacking targets.
Any time there is a major activity or event, leaders involved should prepare for a data breach. With the looming 2016 U.S. presidential election dominating media coverage, it is likely that one of the presidential candidates, their campaigns and/or a major donor bases will be hacked.
This type of attack is not new – Republican Vice Presidential Nominee Sarah Palin’s person email was hacked during the 2008 elections – but campaigns are increasingly won and lost online so the potential for a politically-motivated attacker to take aim has grown tremendously. Political organizations and campaigns should ensure that they are securing their systems and have incident response plans in place.
5). Hacktivism will make a comeback.
In 2016, we expect to see a resurgence in hacktivist activities, motivated by causing reputational damage to a company or cause. In fact, we are already seeing this prediction come true. In the aftermath of the tragic terrorist attacks in Paris earlier this month, Anonymous responded aggressively by publicly ‘declaring war’ on ISIS and vowing that the group ‘would use hacking to weaken ISIS.’ Just days later, Reuters reported that Anonymous identified 39,000 pro-ISIS accounts and reported them to Twitter, which supposedly took down 25,000 of those accounts.
Businesses are not immune from these type of attacks either, as evidenced by the Ashley Madison attack last year. We believe that any organization or group with a polarizing or controversial standing should be prepared for the possibility of an attack for the purpose of harm to the organization and/or its constituency. It is imperative that organizations prepare to respond to this type of incident, and rethink their data breach response plans to ensure all scenarios are accounted for, including extortion.