In the modern era of mega breaches, there seems to be an ever-upward trend of more attacks, more leaked records and more varied threats.
Yet, by the numbers, 2015 was not a complete disaster. While significant interruptions, shifts in perspective and challenges to the security industry continue to evolve, there are some areas of slowed growth and even improvement.
According to the IBM X-Force Threat Intelligence Report 2016, by the end of 2014, some estimates indicated there were more than one billion leaked emails, credit card numbers, passwords and other types of Personally Identifiable Information (PII) being reported stolen.
Today, small shifts to the landscape have been experienced, with cybercriminals focusing more readily on targets of higher-value records such as health-related PII and other highly sensitive data, and with less emphasis on the emails, passwords and even credit card data that were the targets of years past.
IBM’s X-Force Threat Intelligence Report 2016 reveals several key trends to keep in mind when formulating PII best practices and protocols for the coming months.
- The sophistication of attack techniques increased in the year with advances such as overlay malware on mobile platforms, tricking end users into providing personal data as desktop browser web injections had done in years past.
- Popular attack methods such as distributed-denial-of-service (DDoS) attacks continued to be an attractive means to an end, particularly as a distraction to cover a more targeted attack technique or as a way to demand ransom.
- With notable incidents and targeted malware affecting geographies including Canada, Australia, the United Kingdom, France, Turkey and Japan, we look at how attacks adapt to extend beyond borders.
- The complexities of doing business at scale, both strategic and technical, create barriers to overcome in preventing these attacks from occurring. A focus on user education and systematic protocols for operating a strong risk assessment program can provide value in that effort.
- By January 2015, the connected world was already inundated with a litany of constant data breaches, making it almost too easy to tune out the near daily reports of new incidents. Tuning out, however, was not the appropriate strategy, as existing avenues of attack were adapted and applied vigorously while novel threat techniques and attacks on prominent targets dominated headlines for weeks on end.
- From an industry perspective, healthcare was in the spotlight with a number of high-profile US incidents resulting in the theft of more than 100 million PII records. Malicious advertising, also known as malvertising, increased throughout 2015. In these cases, infected ads, primarily targeting Adobe Flash vulnerabilities, were served to millions of viewers on popular websites and resulted in the installation of ransomware and other types of malware. Toward the end of the year, a security researcher uncovered a number of misconfigured NoSQL databases that exposed more than 200 million combined records, reinforcing that, more than ever, basic security practices are critical to protecting end-user data.
- Reports surfaced in 2014 about breaches at several large hotel chains and other travel and transportation targets such as airport parking lots. This trend continued into 2015, impacting global hospitality brands including Trump, Starwood and Hyatt hotels, as well as a number of regional resorts, hotels and casinos. Interestingly, in some cases, front desk reservation payment systems were not affected; rather, attackers breached POS terminals in hotel gift shops and restaurants. Other smaller but frequent targets included zoos and other tourist sites. By targeting POS service companies who provide turnkey payment systems to local businesses and restaurants, attackers were positioned to steal credit card data from thousands of retail customers.
- Organized cybercrime is no longer made up primarily of small factions, and the days of lone hackers are all but gone. Instead, nowadays enterprises fight against motivated organizations that — like legitimate businesses — are divided into teams, employ highly experienced developers with deep knowledge, leverage connections and encourage collaboration. Also like businesses, these gangs are highly organized, managed by crime lords who fund the operation and deploy various types of troops to achieve their eventual success.
The Cost of a Breach
A breach of customer information could result in the organization’s loss of public trust, legal liability and significant cost to remedy damages. While it is best practice for organizations to limit the use, collection, and retention of PII to only what is absolutely required for business purposes, oftentimes it is not known exactly what information is stored and where it is located to effectively manage it and ensure its protection.
Protecting customer data such as credit card information, log-in credentials, and other personally identifiable information is one of the top priorities for both security and risk leaders, as well as business leaders.
Today, customer data protection is a source of growth and competitive differentiation for firms. Customer data breaches and privacy abuses lead to significant short-term costs from the immediate breach response itself as well as to long-term costs resulting from decreases in customer loyalty and retention and lost business opportunities.
However, as the threat landscape continues to evolve, market leaders must adjust their risk management strategies to also counter the next frontier: intellectual property theft. Intellectual property, such as trade secrets, new product designs, financial information, and source code, can be just as damaging, if not worse, in some cases, because it can lead to a permanent loss of competitive advantage.
The danger for many organizations is that they experience significant challenges in identifying, classifying and managing this important data in an organized and protected manner. A breach of customer information could result in the organization’s loss of public trust, legal liability and significant cost to remedy damages. While it is best practice for organizations to limit the use, collection, and retention of PII to only what is absolutely required for business purposes, oftentimes it is not known exactly what information is stored and where it is located to effectively manage it and ensure its protection.