Every year, we continue to see high-profile data security breaches reported in the media. This will continue to be the reality in coming years because cybercriminals and malicious attackers have an extensive wish list that includes personally identifiable information (PII), payment card data, medical records, and other sensitive data.
As cyberattacks become more prolific and publicized, it’s easy to conclude that the question becomes not if, but when information will be compromised. The key is understanding what you can do to help you stay one step ahead.
What’s Driving the Surge in Data Breaches?
It’s simple. Stolen data is extremely profitable.
For example, a medical record can sell in the black market for as much as $1,000. Credit card account numbers sell for anywhere between $5 and $110 depending on the card brand, the country it comes from, and how recently the card data was stolen. Other PII, such as Social Security numbers, can sell for $1 per record.
As seen here, medical records have a far greater value than other information. Criminals can continue using or selling this protected health information even after the victim knows it’s been compromised, as opposed to credit card information, which can be quickly devalued by canceling the credit card.
Using Hindsight as Defense
So what can be done to stave off an attack and protect your sensitive and critical business data (and avoid being tomorrow’s high-profile data-breach story)? Below, we illustrate how you might avoid an attack with some real-life examples of high-profile data breaches.
What happened: Equifax was compromised after an attack left more than 143 million consumer records vulnerable. Those records included Social Security numbers, credit card information, and other identifiable personal data.
Hindsight: For any highly sensitive data, encryption of the data while at rest could have provided an additional layer of protection over the PII and payment card data that was breached.
What happened: Personal data for 57 million Uber users and drivers worldwide was stolen. The breach was compounded by a lack of transparency—the attack happened in October 2016 but wasn't publicly announced for more than a year. Uber paid $100,000 to the hacker to destroy the data.
Hindsight: The software development process should be carried out in a secure manner with source code properly secured, especially if login credentials to production environments are hard-coded into code.
Anthem Health Insurance
What happened: A database containing information on 80 million customers and employees was compromised by an individual exploiting IT staff credentials. Stolen personal information included names, dates of births, medical identifications, and social security numbers, among other items.
Hindsight: Better controls around user authentication and system patching could have prevented this data breach and theft. Multifactor authentication is a means of identifying yourself to a system or network using two of the following: something you are, something you know, and something you have. A typical user name and password combination involves the first two elements, but is still highly susceptible to password cracking attacks. Adding the third element—something you have, such as a one-time password token—significantly reduces the probability of a successful attack.
Additional Protective Measures
There are other protective measures that an organization should apply in order to protect its sensitive data.
- Penetration Testing. This is a pre-emptive step to identify the weak points in your network and systems before the hackers do. Penetration testing is essentially hacking, but performed ethically by a specialist. It serves as a quality assurance step after changes are made to networks or systems to check if there are any vulnerabilities that could be exploited and result in a security breach. Some regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), require penetration testing as part of a service provider’s and merchant’s annual validation of compliance.
- Due Diligence with Third-Party Hosting Services. If you use cloud-based or third-party hosting services or services that help manage an aspect of your technology environment, such as firewall management or data backup, then you should ascertain the protections and security measures the vendor has in place in order to protect clients’ data.
- Request Examinations. Attestation reports on controls by an independent and objective firm that specializes in technology audits should be requested and reviewed. This should occur before entering into an agreement with the service provider and giving them access to your sensitive data. In addition, the contract between your organization and the service provider should include language that allows you to conduct audits of their hosting environment and adherence to any data security regulations to which your organization is subject.
In the Unfortunate Event of a Breach
If your organization does experience a data breach, there are immediate steps that should be taken to stem the damage and minimize the impact.
Exercise Your Security Incident Response Plan
While many organizations haven’t developed an incident response plan in the event of a data breach, this is instrumental in alleviating the pressure of making decisions following a breach, when time is of the essence.
A typical security incident response plan should include the following components:
- Roles and responsibilities
- Trigger incidents
- Technology environment overview, including a network diagram, containment procedures, eradication and cleanup procedures
- Communications protocols
- A call list, including key vendors the organization is dependent upon for technology support
A Fresh Set of Eyes
This perspective often comes from a third-party that specializes in computer forensics or post-attack analysis; the FBI has a division that investigates cybersecurity breaches, for example. The objective is to reveal clues or leads, and offer external assistance when IT staff, who are often too close to the situation, might get weary-eyed and lose focus.
Know Your Notification Responsibilities
Federal and state-specific regulations mandate that affected parties be notified of any data breach that involves their personal information. It’s important to know what your organization’s obligations are from a compliance standpoint to avoid potential monetary penalties, fines, and lawsuits.
Call Your Insurance Carrier
Contact your insurance agent immediately upon stabilizing the situation, and determine what’s covered, which may include legal issues, public relations and communications, notifications to external parties, forensics activities, and the overall response effort. Also, determine if theft of proprietary information is covered, particularly if you have a lot of intellectual property.
Develop Remediation Plans
After the situation has stabilized, many organizations fail to learn from their mistakes and don’t implement the controls or protections necessary to prevent a future attack or at least minimize the risk of a successful attack. Developing a remediation plan to address the risk and implement stronger controls and protections is essential to ensuring a similar attack does not occur in the future.
Include Security Protocol and Controls in Your Business Processes
Practice securing data throughout its life cycle. This means considering protections and security controls that should be in place once the data is acquired, when it goes through processing, where it gets stored, and when it’s transmitted or moved.
We’re Here to Help
A data security breach is never a good thing. While the threat and risk of a breach will persist, there are important measures you can take to help minimize risk exposure and impact. Instituting regular security awareness training, conducting due diligence on service providers, and performing regular penetration tests can be instrumental to reducing the risk of a breach. Staying aware of evolving cybersecurity threats will go a long way to enhancing your organization’s security posture while keeping you out of the headlines. For more information, contact your Moss Adams professional.