Last year was a banner year for high-profile data security breaches with Sony, Target, Home Depot, and JP Morgan reporting attacks. This year will be no different. Cybercriminals and malicious attackers have an extensive wish list that includes personally identifiable information (PII), payment card data, medical records, and other sensitive data. As cyberattacks become more prolific and publicized, it’s easy to conclude that the question becomes not if, but when information will be compromised. We can help you stay one step ahead.
What’s Driving the Surge in Data Breaches?
It’s simple. Stolen data is extremely profitable.
For example, a medical record can sell in the black market for as much as $50. Credit card account numbers sell for anywhere between 50 cents and $20 depending on the card brand, the country it comes from, and how recently the card data was stolen. Other PII, such as social security numbers, can sell for $1 per record. As seen here, medical records have a far greater value than other information. Criminals can continue using or selling this protected health information even after the victim knows it’s been compromised, as opposed to credit card information, which can be quickly devalued by canceling the credit card.
Using Hindsight as Defense
So what can be done to stave off an attack and protect your sensitive and critical business data (and avoid being tomorrow’s high-profile data-breach story)? Below, we illustrate how you might avoid an attack with some real-life examples of high-profile data breaches.
United States Department of State and White House
What happened: A hack, believed to be a state-sponsored attack by the Russians, into the State Department e-mail server served as the jump-off point for attacks on the White House’s unclassified network, which included real-time nonpublic details of the POTUS’s schedule.
The White House intrusion began with a phishing e-mail that originated from a State Department e-mail account that was compromised.
Hindsight: Security awareness training detailing how to recognize e-mail phishing tactics may have helped prevent the attack. Phishing is a popular hacking method that uses a fake e-mail to trick the recipient into downloading malicious software, such as a remote access tool or key logger. It takes advantage of what’s known to be the weakest point in any cybersecurity approach: the human factor.
Anthem Health Insurance
What happened: A database containing information on 80 million customers and employees was compromised by an individual exploiting IT staff credentials. Stolen personal information included names, dates of births, medical identifications, and social security numbers, among other items.
Hindsight: Better controls around user authentication and system patching could have prevented this data breach and theft. Multifactor authentication is a means of identifying yourself to a system or network using two of the following: something you are, something you know, and something you have. A typical user name and password combination involves the first two elements, but is still highly susceptible to password cracking attacks. Adding the third element—something you have, such as a one-time password token—significantly reduces the probability of a successful attack.
Mandarin Oriental Hotel Group
What happened: The point-of-sale systems in a number of hotels in the US and Europe were infected with malware capable of stealing customer card data. The breach is still being investigated by the Mandarin Oriental, law enforcement, and forensic investigators. The hotel group is communicating any news about the breach to its customer base, which is required by federal and state regulations. This open communication also helps manage your reputation and retain customers.
Hindsight: It appears that better malware protection on the point-of-sale systems used at the hotels was needed in order to detect and neutralize any type of malware infection. Antimalware or antivirus software can be installed on computers to monitor, detect, and eliminate malware infections. This software should be installed on servers and workstations, and should be kept up to date with daily, even hourly downloads of new definition files from the software vendors to detect new variants of malware that appear daily.
Additional Protective Measures
There are other protective measures that an organization should apply in order to protect its sensitive data.
Penetration Testing. This is a pre-emptive step to identify the weak points in your network and systems before the hackers do. Penetration testing is essentially hacking, but performed ethically by a specialist. It serves as a quality assurance step after changes are made to networks or systems to check if there are any vulnerabilities that could be exploited and result in a security breach. Some regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), require penetration testing as part of a service provider’s and merchant’s annual validation of compliance.
Due Diligence with Third-Party Hosting Services. If you use cloud-based or third-party hosting services or services that help manage an aspect of your technology environment, such as firewall management or data backup, then you should ascertain the protections and security measures the vendor has in place in order to protect clients’ data.
Request Audits. Attestation reports on controls—an SSAE 16 or ISO 27001 audit by an independent and objective firm that specializes in technology audits—should be requested and reviewed before entering into an agreement with the service provider and giving them access to your sensitive data. In addition, the contract between your organization and the service provider should include language that allows you to conduct audits of their hosting environment and adherence to any data security regulations to which your organization is subject.
In the Unfortunate Event of a Breach
If your organization does experience a data breach, there are immediate steps that should be taken to stem the damage and minimize the impact.
Exercise Your Security Incident Response Plan
While many organizations haven’t developed an incident response plan in the event of a data breach, this is instrumental in alleviating the pressure of making decisions following a breach, when time is of the essence.
A typical security incident response plan should include the following components:
- Roles and responsibilities
- Trigger incidents
- Technology environment overview, including a network diagram, containment procedures, eradication and cleanup procedures
- Communications protocols
- A call list, including key vendors the organization is dependent upon for technology support
A Fresh Set of Eyes
This perspective often comes from a third-party that specializes in computer forensics or post-attack analysis; the FBI has a division that investigates cybersecurity breaches, for example. The objective is to reveal clues or leads, and offer external assistance when IT staff, who are often too close to the situation, might get weary-eyed and lose focus.
Know Your Notification Responsibilities
Federal and state-specific regulations mandate that affected parties be notified of any data breach that involves their personal information. It’s important to know what your organization’s obligations are from a compliance standpoint to avoid potential monetary penalties, fines, and lawsuits.
Call Your Insurance Carrier
Contact your insurance agent immediately upon stabilizing the situation, and determine what’s covered, which may include legal issues, public relations and communications, notifications to external parties, forensics activities, and the overall response effort. Also, determine if theft of proprietary information is covered, particularly if you have a lot of intellectual property.
Develop Remediation Plans
After the situation has stabilized, many organizations fail to learn from their mistakes and don’t implement the controls or protections necessary to prevent a future attack or at least minimize the risk of a successful attack. Developing a remediation plan to address the risk and implement stronger controls and protections is essential to ensuring a similar attack does not occur in the future.
Include Security Protocol and Controls in Your Business Processes
Practice securing data throughout its life cycle. This means considering protections and security controls that should be in place once the data is acquired, when it goes through processing, where it gets stored, and when it’s transmitted or moved.
We're Here to Help
A data security breach is never a good thing. While the threat and risk of a breach will persist, there are important measures you can take to help minimize risk exposure and impact. Instituting regular security awareness training, conducting due diligence on service providers, and performing regular penetration tests can be instrumental to reducing the risk of a breach. Staying aware of evolving cybersecurity threats will go a long way to enhancing your organization’s security posture while keeping you out of the headlines. For more information, contact your Moss Adams professional.