Are You Prepared for the Top 5 Cyber Risks of 2017?
While many companies have data breach preparedness on their radar, it takes constant vigilance to stay ahead of emerging threats and increasingly sophisticated cybercriminals. To learn more about what risks may lie ahead, Experian Data Breach Resolution released its fourth annual Data Breach Industry Forecast white paper.
The industry predictions in the report are rooted in Experian’s history helping companies navigate more than 17,000 breaches over the last decade and almost 4,000 breaches in 2016 alone. The anticipated issues include nation-state cyberattacks possibly moving from espionage to full-scale cyber conflicts and new attacks targeting the healthcare industry.
FOLLOWING THE 2012 AND 2014 BREACHES OF LINKEDIN, DROPBOX AND YAHOO ACCOUNTS, THOSE PERSONAL ACCOUNT DETAILS RESURFACED ON THE DARK WEB IN 2016, RE-EXPOSING 732,000,000 EMAIL ADDRESSES AND PASSWORDS.
Today’s world of data breaches is one that is constantly changing. As companies are better prepared to protect against a data breach, attackers are finding more stealthy ways to get around security measures and seek the information they want. While some tried and true attacks continue to serve as go-to methods for hackers, there are evolving tools and targets that are likely to become front page news in 2017. Organizations can’t wait until an attack happens to ensure they are protected – they need to look at the signs early on to start preparing for new types of security threats.
Based upon Experian’s experience, the top data breach trends of 2017 are anticipated to include the following:
» Aftershock password breaches will expedite the death of the password
Unfortunately, the potential damage of an aftershock breach is likely the same as when the primary organization loses personal information. Customers of these businesses are likely to express concerns and the potential for fraud is as tantamount as the original incident.
» Nation-State cyber-attacks will move from espionage to war
The progression of cyber-attacks driven by nation-states will undoubtedly place critical infrastructure in the cross-hairs, potentially leading to widespread outages or exposed personal information that could impact millions of innocent consumers.
» Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging
Of the potential sources for a breach, electronic health records (EHR) are likely to be a primary target for attackers. The portable nature of this information and the number of different entities and end-points that need access to them mean the potential for them to touch a vulnerable computer system is high. While there may be significant protections in place to secure them in transit, it only takes one compromised or outdated system to lead to exposure. Further, as more healthcare institutions deploy new mobile applications, it’s possible that they will introduce new vulnerabilities that will also be attractive targets for attackers.
» Criminals will focus on payment-based attacks despite the EMV shift taking place over a year ago
Instead of targeting big name retailers as we’ve seen in the past, attackers may turn their attention to smaller franchised stores and others with distributed infrastructure. Along with needing to manage more distributed infrastructure, these businesses are experiencing other barriers such as the need for software updates to accept payments that are not available and the impact it can have on the checkout process.
» International data breaches will cause big headaches for multinational companies
These breaches are likely to have a disproportionately high impact on companies. As many international consumers are not accustomed to being notified of a breach, they are likely to be much more vocal in their concern and will be more likely to stop doing business with a company as a result of an incident.
Thomas Tollerton, DHG as quoted in the Firestorm Paper on Cyber-Crisis Preparedness:
“Objective, third party assessments of cybersecurity posture are not only helpful in identifying gaps in cybersecurity functions, but also in providing reassurance to an organization’s stakeholders that leadership takes threats seriously. Reports such as SSAE16 provide such assurance.”
Jack Healey, Firestorm: as a part of preparedness for 2017, education should take place at all levels of the organization and be both General Cyber Security Awareness as well as Specific Functional Detection and Prevention training.
General Awareness covers:
- What data is considered sensitive and why;
- what company data is encrypted,
- who has access to the data,
- how the data is transferred internally and externally,
- where and how data is retained ,
- how data should be destroyed,
- and General Security such as the use of passwords, use of dual authentication of the most sensitive or vulnerable data (e.g. cash); BYOD policies, use of firewalls and anti-virus software at home and on all BYOD devices, social engineering awareness, ‘see something say something’; use of help desk and other resources the organization has in place.
Specific Functional Detection and Prevention training is geared towards a specific job function; as an example, how can an Administrative Assistant recognize a fraudster’s attempt to gain information about an organization (calls asking the name of the CFO and treasurer to institute a wire transfer fraud)? Human Resource, Supply Chain, Finance and Legal departments should have intensive training since they maintain some of the most valuable data or will be involved in a Cyber Breach if one occurs.
Download the full Experian 2017 Report Here, and the Firestorm “Before Now” Actions paper below.
Download Ten Cyber-Crisis “Before NOW” Actions – The Heavyweights Weigh In Every business faces escalating cyber risk….