Are Companies Too Focused on Cybercrime? by Judy Selby

23/12/2014 06:36

Companies are not paying enough attention on errant employees, and will pay the price in 2015.

As we come to the end of a tumultuous year where "data breach" became a household term, Experian Data Breach Resolution has published its 2015 Second Annual Data Breach Industry Forecast, outlining its top six data breach predictions for the coming year.

1. Rise-and-fall of payment breaches
The imminent adoption of EMV Chip and PIN technology will present hackers with a closing window of opportunity to easily profit from point-of-sale attacks on retailers. Attacks are expected to continue until the new payment system is implemented in late 2015. Despite the adoption of more secure payment technology, retailers will need to remain vigilant. Experian notes that "cyberthieves have likely already identified vulnerabilities they can target in the new infrastructure."

2.  More hackers will target cloud data
Experian anticipates an increase in breaches involving the loss of user names, passwords and other information stored in the cloud. Increased reliance on online services for everything from bill payment to photo editing makes those services an attractive target for hackers. Online credentials, such as consumer passwords and user names, can give hackers the "keys to the castle—with the likelihood that compromising one record can often give access to all sorts of other information stored online." Incident response plans should address this threat by, for example, considering how to notify affected users and reset passwords on a massive scale if necessary.

3. Persistent, growing threat of healthcare breaches
Healthcare breaches are likely to increase due to economic gain and the digitization of health records. "Increased movement to electronic medical records also contributes to the rise, as does wearable technologies in healthcare. Those risks are exacerbated by the increasing value of health information and the fact that some providers lack sufficient resources to adequately safeguard patient data.

4. Shifting accountability: business leaders are under increased scrutiny
Business leaders are being held directly accountable for data breaches. Executives at the highest levels are under scrutiny about security—their response to a breach is measured by stakeholders, regulators and consumers.  Recent mega breaches have triggered significant pressure for management teams to improve data breach preparedness or face the threat of being ousted, observes Experian. Businesses must recognize that data security and data breach planning are not just an IT problem.

5. Employee mistakes will be companies' biggest threat
Employee-based breaches will continue to be the leading cause of compromises, but will receive the least attention as businesses focus on cyberattacks. As a result, many companies will miss the mark, and fail to address the root cause of the majority of data breaches.

6. Rise in third-party breaches via the Internet of Things
Experian warns that the "next leak from the office water cooler won't be caused by employee gossip." Rather, it's the Internet of Things—Interconnected products and devices.  IoT is on the rise, and helps companies gather and process valuable information from billions of sources. Unfortunately, security vulnerabilities are created when data is collected, stored and processed from all these objects and devices. Experian predicts "an increase in cyberattack campaigns, including everything from sensor networks and work meters to consumer devices such as routers and Network Attached  Storage (NAS).

Last year, Experian correctly predicted increases in the number of international and healthcare breaches, a surge in the adoption of cyber insurance, increasing consumer breach fatigue and stepped up regulatory involvement.  The only 2014 prediction that didn't play out, unfortunately, was that there would be a decline in data breach costs. Instead, per record costs increased from $136 in 2013 to $145 in 2014.

As we approach 2015, companies can reduce their information-related risks by making data security a top business priority. Consider implementing company-wide programs focused on improved security, employee training and breach preparedness—including development of a breach response plan that addresses  existing and emerging internal and external threats.

Judy Selby is a partner at Baker & Hostetler, and is co-leader of its information governance team and founded the e-discovery and technology management team. She is based in New York.

Read more: