In 2017, most companies have data breach preparedness on their radar. But the threat landscape is ever-evolving. Staying ahead of emerging threats and the increasing sophistication of cybercriminals requires "constant vigilance," as Mad-Eye Moody from J.K. Rowling's Harry Potter series was fond of saying.
"Preparing for a data breach has become much more complex over the last few years," says Michael Buemmer, vice president at Experian Data Breach Resolution. "Organizations must keep an eye on the many new and constantly evolving threats and address these threats in their incident response plans."
To aid in that effort, Experian Data Breach Resolution recently released its fourth annual Data Breach Industry Forecast, a report rooted in Experian's history helping more than 17,000 companies deal with data breaches in the last decade (4,000 in 2016 alone).
Experian says five data breach trends will dominate 2017:
- Aftershock password breaches will expedite the death of the password.
- Nation-state cyber-attacks will move from espionage to war.
- Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.
- Criminals will focus on payment-based attacks despite the EMV shift that took place more than a year ago.
- International data breaches will cause big headaches for multinational companies.
1. Aftershock password breaches will expedite the death of the password
Experian says that "aftershock" breaches, which it considered an emerging trend in 2016, will become more common and varied in 2017.
Earthquakes are often followed by a series of aftershocks, smaller magnitude earthquakes that can occur for years after the initial quake as the earth's crust around the displaced fault plane adjusts.
Password breaches are similar, according to Experian: Attackers continue to sell old username and password information on the dark web. Since users often reuse passwords, this can lead to companies that didn't experience a first-hand data breach becoming the target of repeat unauthorized log-ins, which in turn forces those companies to notify their users that their information is being misused.
By way of example, Experian points to the breach of 500 million Yahoo! Accounts in 2014.
"It has been reported those stolen credentials were subsequently resold and used by other criminals to compromise accounts across a wide variety of services where consumers use the same username and password," Experian notes in the report. "This exposure of the largest-ever breach of usernames and passwords is likely to reverberate for years to come as the exposed credentials make their way through the underground economy. Companies that have never experienced a direct breach will be forced to deal with the aftershock of Yahoo!'s loss of user credentials."
Experian predicts 2017 will see criminals expanding on the aftershock breach concept. They won't just involve usernames and passwords; attackers will take the same approach with even more personal information, like social security numbers and medical information.
To combat this trend, Experian recommends implementing two-factor authentication to identify users. It also recommends companies account for aftershock breaches in their incident response plans.
2. Nation-state cyber-attacks will move from espionage to war
Experian predicts that cyber conflicts between nation-states will escalate from espionage to cyber-warfare in 2017.
"While the [U.S. Office of Personnel Management] breach of 2015 was clearly motivated by gaining specific intelligence, in 2017 we will see new operations made public that use cyber-attacks as an outright offensive weapon," the report said.
Experian notes that when the issue of state-sponsored cyber-attacks came up during the recent U.S. presidential campaign, both candidates said they would favor using cyber weapons to retaliate, leading Experian to predict an escalation in cyber-attack conflict in 2017. These conflicts will tend to leave consumers and businesses as collateral damage.
"The progression of cyber-attacks driven by nation-states will undoubtedly place critical infrastructure in the crosshairs, potentially leading to widespread outages or exposed personal information that could impact millions of innocent consumers," the report said.
Experian recommends companies address this threat by participating in their respective Information Sharing and Analysis Center (ISAC) to share cyber threat information with peers and national defense organizations. Additionally, businesses &8212; especially businesses involved in critical infrastructure — should prepare for full-on disruption. Proactive steps could involve purchasing insurance protection and shoring up security measures against large-scale disruptions.
3. Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging
For years, personal medical information, particularly electronic health records (EHRs), have been some of the most valuable data criminals can target. In 2015, many attackers focused on health insurers. But Experian believes 2017 will see criminals expanding into other aspects of healthcare, including hospital networks. The report notes that hospital networks tend to be more distributed, making it harder to maintain security measures compared with more centralized organizations.
"The consequences of a medical data breach are wide-ranging, with devastating effects across the board — from the breached entity to consumers who may experience medical ID fraud to the healthcare industry as a whole," says Ann Patterson, senior vice president, Medical Identity Fraud Alliance (MIFA).
Experian predicts ransomware will be a top concern.
"Ransomware presents an easier and safer way for hackers to cash out. Given the potential disruption to a company, most organizations will opt to simply pay the ransom," the report says. "This has unintended consequences of funding more research and development by attackers who will in turn develop more sophisticated and targeted attacks. These new variants will likely be able to evade many of the security detection systems that were developed and are now widely deployed to stop the previous generation of attacks."
Experian recommends healthcare organizations of all sizes and types review their security measures and ensure they have contingency planning for responding to ransomware attacks as well as adequate employee security training.
4. Criminals will focus on payment-based attacks despite the EMV shift taking place over a year ago
All payment cards in the U.S. started incorporate EMV chips last year. But according to a report last September by the Strawhecker Group (TSG), only 44 percent of U.S. card-accepting merchants have EMV terminals, and only 29 percent can actually accept chip-based transactions.
Experian predicts that uneven adoption of the technology, combined with attackers targeting new industries and adapting their tactics, means payment attacks will plague companies in 2017.
"Instead of targeting big name retailers as we've seen in the past, attackers may turn their attention to smaller franchised stores and others with distributed infrastructure," the report says. "Along with needing to manage more distributed infrastructure, these businesses are experiencing other barriers, such as the need for software updates to accept payments that are not available and the impact it can have on the checkout process."
For years, cybercriminals have made use of skimmers, devices capable of stealing magnetic stripe data from point-of-sale (POS) systems. In the past, such devices have largely been used with ATMs. But the increasing popularity of self-checkout terminals in retail outlets opens new opportunities for criminals to use the devices. EMV chips help defend against skimmers if the technology is used, but current adoption levels lead Experian to predict that at least one major national retailer will be hit with a significant skimming outbreak in 2017.
To combat this, Experian says that while there are legitimate barriers to merchants adopting EMV Chip and PIN technology, the risk of not doing so has become too high to ignore.
"It is essential that companies behind the curve speed up their plans for EMV Chip and PIN adoption," the report said. "Both retail companies and consumers need to maintain security best practices during this time of ongoing transition and recognize that cyber criminals may shift their focus but won't be completely deterred. Paying close attention to potential weak spots, including catching POS simmers quickly, can help mitigate potential fallout."
5. International data breaches will cause big headaches for multinational companies
Experian believes that breaches involving the loss of international consumers' data will cause the most significant damage in 2017, especially once the new General Data Protection Regulation (GDPR) in the E.U. goes into effect. Experian notes that new regulations will also soon take effect in Canada, and Australia is also considering a data breach bill.
A recent Ponemon Institute study found that 42 percent of companies have not included processes to manage an international data breach in their incident response plans.
"The 72 hour notice requirement to E.U. authorities under the GDPR is going to put U.S.-based organizations in a difficult situation," says Dominic Paluzzi, co-chair of the Data Privacy & Cybersecurity Practice at McDonald Hopkins. "The upcoming E.U. law may just have the effect of expediting breach notification globally, although 72 hour notice from discovery will be extremely difficult to comply with in many breaches. Organizations' incident response plans should certainly be updated to account for these new laws set to go in effect in 2017."
"Clearly, the biggest challenge for businesses in 2017 will be preparing for the entry into force of the GDPR, a massive regulatory framework with implications for budget and staff, carrying stiff fines and penalties in an unprecedented amount," adds Omer Tene, vice president of Research and Education for International Association of Privacy Professionals. "Against a backdrop of escalating cyber events, such as the recent attack on Internet backbone orchestrated through IoT devices, companies will need to train, educate and certify their staff to mitigate personal data risks."
Experian predicts the lack of preparedness, and the high stakes involved, mean at least one U.S. multinational will take a significant hit to its valuation in 2017 due to an international data breach.
Experian recommends companies confront this threat by working to comply with the new rules, including "dry runs" to ensure they are properly prepared.