Full Site Navigation
Insights & Resources

Data Breaches: The Evolving Threat 9/19/2017

Data Breach

By Matt Dougherty, Marsh & McLennan Agency – Houston

When I was growing up, you could leave your front door unlocked at night, park your bike outside the grocery store without a care, and never had to worry about people rifling through your trash to steal your mail. Sadly, threats to our physical and financial security have evolved over the years, as have the nature of the crimes. In addition to potential break-ins at our home or place of work to steal tangible goods, like jewelry and computers, we face the growing spectre of criminals using sophisticated means to access valuable personal data.

Despite near constant media reports of data breaches and cyber-attacks against multinational firms like Starwood Hotels, Target and Time Warner, many businesses mistakenly believe they are impervious to such threats. Although hackers previously targeted larger corporations, they now go after small and mid-size firms as well as non-profits with equal abandon, putting every organization at risk. In fact, the cost of data breaches worldwide is expected to top $2.1 trillion by 2019, nearly four times the estimated cost two years ago, according to a 2015 cybercrime report by Juniper Research.

At the same time, not all security threats are related to computer networks. Sometimes, sensitive data is stored in an old filing cabinet or cardboard boxes, and a breach happens when a careless employee tosses outdated documents into the trash. In fact, 75 percent of all data loss is due to human error, the IT Policy Compliance Group reports. Criminals use these weaknesses to their advantage and count on businesses to make wrong assumptions related to their data security:

  • We aren’t a target for attack
  • We don’t have any exposure
  • Our IT department has strong platform controls in place
  • We use third-party vendors to handle our data processing and payments
  • If we have a breach, we can handle it ourselves

The Realities of Data Breaches
Most small to medium sized businesses and non-profits don’t believe they are a large enough enterprise to be a target for the cybercriminal. In truth, the frequency and severity of attacks are on the rise with all entities, no matter their size, industry, or purpose. The 2016 State of SMB Cybersecurity report from the Ponemon Institute notes that 50 percent of SMBs have been breached in the past 12 months. Additionally, as organizations adapt to new threats with more sophisticated IT systems and firewalls, criminals adapt, too, using increasingly creative strategies to “steal with a mouse.”

Other organizations believe they would be of little interest to hackers and identity thieves. Upon closer examination, however, every business holds some amount of sensitive data, whether in a housed in a filing cabinet or on the cloud, including:

  • Personal identifiable information (PII), such as credit card information, social security numbers, driver’s license numbers, banking information, and home addresses
  • Protected Health Information (PHI)
  • Third-party corporate information of clients or vendors

In most states, organizations are legally obligated to protect data that is collected to conduct business, and state and federal regulations typically dictate proper handling of private information. If this information is breached—even if it is handled by a third-party processor—the organization must navigate the different state regulations that mandate how victims must be notified. The cost of forensics, notifications, restitution and improved security measures can be exorbitant, and the reputational damage detrimental. In fact, 60 percent of small businesses fail within six months of a cyber attack, and the hit to consumer confidence when large companies like Home Depot have a data breach can tank earnings.

With this in mind, here are the most prevalent threats to data security that organizations face today, and what you can do to guard against them:

Ransomware – This strategy involves taking a computer network hostage with malware and demanding a ransom for its release. Although terrorist groups use this method to target everything from critical infrastructure to intellectual property and corporate strategies, cybercriminals have discovered that even smaller organizations can deliver a return on their investment. Locking up a company’s ability to process customer orders, communicate internally, or manage payroll is enough for most organizations to say, “Uncle.” The malware can be launched when an unwitting employee opens an attachment or clicks on a link in an email. In many cases, the fees demanded are reasonable, prompting management to send funds so everyone can get back to work rather than solicit outside help. The challenge is that once you demonstrate you’re willing to pay, the hackers keep coming back for more.

Social Engineering – Cyber-criminals use this tactic to assume another person’s identity with the goal of obtaining information or gaining access to a person, company or computer system. The most common approach is to trick an employee into mistakenly transferring funds to an imposter or sending other information, such as employee W2 forms, which can be used to file fraudulent tax returns. For example, a hacker may gain access to a mid-size company’s network and read emails for several weeks while lurking unseen. When the CFO sends the president a note with her vacation itinerary, the cybercriminal sees his opening. He creates a near identical email address, changing the name by one letter, so the eye doesn’t catch it. On her first day of vacation, the CFO sends her assistant an urgent message to wire funds to a vendor’s account to pay for a work order that she forgot before leaving town. The employee transfers the money, unaware that the email wasn’t from her boss at all and the vendor was never in the mix. The funds go into a foreign account, never to be seen again.

Human Error – Regardless of how much an organization spends on technology personnel and robust security systems, IT cannot control every exposure. The risk of lost or stolen portable computers or media, misplaced mobile devices, improper disposal of paper records, and vendor negligence illustrate that the weakest link in the criminal cycle can be as simple as a misstep by a well-meaning individual. Threats from paper based data records falling into the wrong hands are just as real as those related to data breaches with computer networks and electronic media. Top managers need to develop a risk management culture that makes data security second nature across every part of the organization. This can involve everything from risk management goals related to digital files, such as training and protocols to prevent unauthorized access to mission-critical systems, to documented procedures for the proper disposal of paper files. Employees at every level, from the mail room to the C-suite, need to know what to look out for, and data risk management should be a part of key executive discussions.

Planning is Paramount
Responding to a data breach of any kind can be both costly and complex. The response team will require experts from multiple disciplines, including forensic investigators, public relations experts and legal counsel. A botched response to even the smallest breach can damage your business reputation irreparably. Organizations also face the specter of regulatory fines and penalties, as well as potential legal liability. To mount a coordinated response to even a small incident requires precise information, deep pockets and the ability to close the loop on how the breach occurred.

Having a response plan in place prior to a breach ever happening can save a business thousands of dollars and minimize reputational damage resulting from the event. Executives and IT managers at large organizations should work together with their legal counsel, data security experts, and an experienced crisis communications firm to craft a comprehensive response strategy, so the enterprise will not be caught off guard if systems or sensitive information are compromised. Likewise, even small and mid-size businesses can establish employee training protocols and contract a cyber-security firm to proactively identify potential risks and recommend safeguards.

In addition, cyber liability insurance, also called data breach insurance, can protect against losses from data theft or destruction, hacking, viruses and malware, and denial of service attacks. This type of coverage indemnifies the organization that suffered the breach and covers costs that are outside the scope of a general liability policy, such as legal fees, data recovery, computer system repair, and notifying customers.

The key to dealing with data security effectively is to understand how criminals think, train employees to exercise caution, and leverage insurance to add a safety net for where standard security measures may fail. Acknowledging that your organization has exposure and is more likely than not to experience a breach can put you well ahead of the game for protecting your business, your employees and your customers.