Data Breaches: Learning From the Business Next Door

Looking back at 2015, we can all recall many large and well-publicized data breaches. In fact, retail breaches can almost seem like yesterday’s news compared to other high-profile incidents like Anthem, Premera and the OPM. Even so, retailers shouldn't become complacent and caught flatfooted. These attacks are spurring demand for increased regulation, pressure from merchant banks and, most importantly, rising consumer anxiety over their data, privacy and identity. The overall effect is a decline of trust and a surge of ad-blocking solutions to enhance consumer’s privacy and security.

Cybercriminals have learned that the value in targeting retailers can far exceed credit card data. Attacks can threaten to take down systems indefinitely, expose sensitive board and executive emails, and capture proprietary data. With increased precision through micro-targeted spear phishing and "malvertising," there's a growing ability to compromise higher net worth entities, including professional services organizations and their respective C-suites. Business email compromise (BEC) scams designed to socially engineer employees’ actions have increased 270 percent.

Last year also saw the rise of precision targeting and extortion via ransomware. By leveraging personalized information posted on Facebook and LinkedIn, hackers can create socially engineered exploits targeting high net-worth business victims. At the same time, cybercriminals’ ransom demands show a shift from opportunistic flat-rate extortion to one of market-based “surge pricing.” Criminals can hold data hostage, attempting to extort millions of dollars from companies that wish to avoid public embarrassment, data destruction and loss of intellectual property.

No organization is immune and every business, regardless of size, must be prepared for data loss. The Online Trust Alliance's (OTA) analysis of publicly reported breaches for the first eight months of 2015 revealed 91 percent were avoidable. Thirty percent were due to lack of internal controls resulting in employees’ accidental or malicious events, while only 34 percent were the result of actual hacks.

What Have We Learned?
It's not just an IT problem. There needs to be a critical shift in attitude regarding roles and responsibilities of data stewardship and security.

Data is often a company’s most valuable asset and requires the appropriate level of protection and care. Protect it while it’s held, and then delete it when it’s no longer needed. Criminals cannot steal or hold hostage data you don’t have. Businesses need to think about the consequences. It’s dangerous to think you aren’t going to be a target. Consumer, employee and corporate data are valuable commodities.

Security and privacy are not absolutes and must evolve. Attack vectors, technologies/implementations and regulations are constantly changing and need to be monitored constantly so you can adapt appropriately.
Security is beyond your walls. As more businesses rely on cloud services and third-party providers, a risk assessment must be conducted prior to usage and on an ongoing annual basis.

Being prepared isn't just for boy scouts. An incident plan needs to incorporate both disaster planning and training to help prevent, detect, mitigate and respond to a data breach. Planning is the key to maintaining online trust and the vitality of the internet, while helping to ensure the continuity of business.

Data security and privacy must become part of an organization’s culture. The responsibility cannot be assigned to a single group or individual; it belongs to everyone. Following the guidance in the 2016 Data Protection and Breach Response Guide will help every business enhance protection, detection, remediation and response to the next data breach incident. Being prepared for a breach is good for your business, your brand and, most importantly, your customers.

Craig Spiezle is the executive director and president of the Online Trust Alliance, a nonprofit organization whose mission is to create and promote business practices and technologies to enhance online trust and the vitality of e-commerce and online services.