Since 2014, Experian has released an annual forecast of security trends and emerging risks for security professionals to heed as they enter the new year. Published at the end of November, we anticipated 2017 would see the "death of the password;" nation-state cyber-attacks move from espionage to war; healthcare organizations hit with increasingly sophisticated techniques; payment-based attacks occur despite the EMV liability shift; and larger, higher-profile international data breaches emerge. Now half way through the year, I can unfortunately say we haven’t been disappointed.
Drawing directly from my experiences helping clients overcome attacks in 2016, I felt anxious about 2017 and putting pen to paper on such substantial predictions for the year. However, it was impossible to ignore that our nation was at a tipping point. The new president and country’s cybersecurity agenda were undetermined, nation-state attacks on the Democratic National Committee were being attributed to the Russian government and the largest known hack of user data was discovered, compromising 1.5 billion Yahoo accounts. What could possibly follow those opening acts?
Now more than ever, it’s pertinent that businesses and consumers take their security seriously. The number of data breaches is increasing at a record-breaking speed – reaching an all-time high of 4,149 incidents worldwide and 1,093 in the U.S. last year alone (a 40 percent hike from 2015) – and we must do our part to stop the uptick from continuing.
The first step is awareness. Through Experian’s forecast, we want to shed light on the emerging risks businesses must prepare for, and for that same reason, it’s vital we reevaluate the predictions mid-year. Below are a few 2017 predictions that remain of biggest concern, as well as a few new issues we’ve seen emerge in the first half of the year that will continue to plague companies.
Healthcare Organizations Continue to be the Top Sector Plagued by Cyber-Attacks
Year after year, the healthcare sector remains a focal point for hackers because of the high value of medical information available (think: SSNs, policy numbers and billing information). The scary reality is that despite industry chatter and awareness around this threat, cyber criminals continue to be successful. Why? Bottom line is that most healthcare organizations lack the resources to properly manage cyber-attacks and threats, and fail to keep up with the constant development of cyber criminals’ sophisticated techniques.
For 2017 specifically, we predicted a focus on ransomware, the targeting of electronic health records (EHR) and mega breaches expanding from healthcare insurers to hospital networks. All have proven to be true.
Just last month, the largest cyber-attack ever hit more than 150 countries, and one of the biggest victims was Britain’s National Health Service (NHS). The attack was caused by “WannaCry” ransomware and not only infected administrative PCs, but also medical devices themselves. The outcome? Hospitals stopped accepting patients, doctor’s offices shut down, emergency rooms diverted patients and critical operations halted temporarily. According to investigators, the NHS ignored numerous warnings over the last year that its computer systems were outdated and unprotected – a preventable, costly and detrimental oversight.
While not as severe, we’ve seen numerous other attacks this year (e.g. New Jersey Diamond Institute for Fertility and Menopause, Bronx-Lebanon Hospital Center and ABCD Children’s Pediatrics) pointing to one large takeaway: healthcare organizations can no longer afford to be complacent. Attacks are not going to die down and the risk for institutions not properly managing these threats will increase. The time to update security measures and plans is now.
Nation-State Cyber-Attacks Move Not From Espionage to War, But Political Disruption
Over the last two years that we’ve developed this report, the issue of cyber conflicts has remained front and center. Entering this year, we predicted that these threats would move from espionage to active conflict and possibly war between countries.
While we haven’t seen attacks escalate to full-on war, per se, this is an area of active conflict and one focused more so on political disruption. Following this year’s presidential election, for instance, reports claimed that Russia’s President Vladimir Putin directed a sophisticated cyber-attack to weaken the U.S. government and its democratic institutions. Similarly, Senator Marco Rubio argued that his presidential campaign had been a target of Russian cyber-attacks as well, specifically an online smear campaign. Though these efforts were likely escalated around the election, we must acknowledge the power of cyber-attacks as political and offensive weapons.
Beyond these politically-charged incidents, we’ve seen the development of cyber weapons in North Korea, attacks on Saudi Arabia’s state agencies and numerous incidents linked to other countries – attacks on Norway institutions, the Foreign Office and Yahoo tied to Russia, and the massive WannaCry ransomware incident tied to North Korea, just to name a few.
As these threats rise to the surface and additional developments unfold – such as WikiLeaks claim that the CIA can "misdirect attribution" of cyber-attacks to other countries – businesses must remain weary of the volatile cyber-conflict landscape, prepare for disruption and proactively strengthen security measures to protect against large-scale attacks.
International Data Breaches Cause Big Headaches for Multinational Companies
After wrapping up 2016, Experian identified that approximately 10 percent of the incidents serviced by the company involved an international component – and that number is expected to double this year.
Reflecting on the first half of the year, we’ve seen international data breaches of all sizes like the TalkTalk scam targeting a number of UK and international companies, the Wonga data breach impacting thousands of customers in the UK and Poland, and the O2 hack that wiped out some German customers’ bank accounts.
There’s no doubt that these breaches are causing “headaches” for the multinational companies tasked with responding and notifying customers in various regions. Unfortunately, the pressure to manage an international breach will only heighten for businesses as we inch toward the implementation of GDPR next May.
The fact of the matter is that preparing for and responding to a global incident is far more complex than a domestic one. Varying notification laws and regulations (and complicated ones at that), diverse cultures and differing views of privacy must be accounted for. To prepare, companies with an international footprint should familiarize themselves with the specific requirements in each area of operation, proactively identify and engage appropriate authorities, and practice data breach response scenarios regularly.
New Risks to Have on Your Radar
Looking ahead to the remainder of the year, the first half of 2017 presented a few new trends and threats that I expect will continue to plague companies.
For starters, the industry has taken note of a worrying decline in the number of data breaches requiring consumer notification. While this may sound like a positive shift, the concern is that attacks are not actually slowing down. According to the Identity Theft Report Center, 647 events have been reported this year as of May 17, exposing more than 10 million records. So, what does this mean? Simply put, businesses are moving toward the mentality of not notifying consumers unless legally required.
If the risk of harm is low enough, for example, notifying consumers is not mandatory and companies are taking advantage of such nuances to avoid reputational and revenue loss; however, this is not a responsible or respectable approach. Consumers deserve to be notified, and doing so instills a level of confidence and trust between customers and businesses.
In addition to improving notification activity, companies must keep these threats on their radar:
- Sophisticated phishing scams. Phishing attacks continue to impact thousands, most notably targeting W-2 forms this tax season. Beyond tax fraud, phishing techniques have made a resurgence via business email compromise. Also known as “CEO fraud” or the “man in the middle” scheme, scammers trick employees into transferring company money to a criminal’s bank account by posing as a known, company executive. To date, it’s reported that actual and attempted losses total more than $3 billion. It is vital that all businesses strengthen their data protection and privacy training programs to help employees to recognize and report phishing attempts, and protect businesses from further harm.
- Targeting of small businesses. We are seeing a particularly troubling trend of complacency among small businesses. As mentioned in my column post last month, small businesses tend to fall under the false impression that criminals only target large or even medium-sized companies for the higher potential payout. This is simply not true. Nearly half of all cyber-attacks target small organizations. In addition to protecting against spear phishing attacks, small businesses with limited resources and technology should move company data to the cloud and take advantage of cyber insurance immediately.
- “Star power” hacks. In April, a hacker released the upcoming television season of “Orange Is the New Black” as Netflix failed to meet its ransom requests. One month later, Disney was targeted and threatened by hackers over an early release of the new Pirates of the Caribbean film. Hackers recognize the opportunity to see their name in lights, so to speak, when infiltrating media companies, celebrities and big names at large. As we saw in 2016 with the high-profile attack on Ashley Madison, hackers are motivated by gaining this type of attention and securing “bragging rights.” Organizations and people in the limelight must prioritize their security and ensure the appropriate protocols are in place to prevent and respond to an attack.
- Ransomware on steroids. Last, but most definitely not least, companies should brace themselves for the continued resurgence of ransomware. The recent WannaCry ransomware catastrophe is likely just a preview of what’s to come. To prepare for the potential of further fallout and additional mega-breaches, companies must keep all equipment up to date with the latest software, ensure cyber insurance plans cover ransomware, create backups of critical files, and above all else: prepare, prepare, prepare.
While the remainder of 2017 may feel daunting, this is only to serve as a reminder – if not extra incentive – to stay on guard, bolster up data breach response plans and prepare to face the (un)expected.
About the Author:
Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at michael.bruemmerSIW@experianinteractive.com.