BI Intelligence Report: The strategies companies are using to protect their customers - and themselves - in the age of massive breaches

Morris MacMatzen/Getty Images

  • In 2017, the average data breach cost US$3.6 million globally and US$7.4 million in the US, according to IBM. Those figures include direct costs, like those tied to identification, containment, and resolution, as well as indirect costs, like customer losses and brand damage, which can be vast.
  • And it’s possible that hackers are becoming more sophisticated and efficient. The number of overall breaches for 2017 should tick down, from 1,970 in 2016 to 1,712.
  • The majority of breaches are from the outside. Breaches initiated by “malicious outsiders” originate outside of an organisation, when someone is seeking access to records, generally for financial gain.
  • Software and hardware make up the largest category of attack. Sixty-two percent of breaches featured hacking in 2017, and over half included malware, according to Verizon.

It’s important for firms to invest across three fronts to manage the inevitable threat of a breach:

  • Prevention: Firms need to build a strong front door as a way of ensuring that as few breaches as possible occur.
  • Detection: Players need to develop institutional knowledge of their own systems, so that when a breach does occur, they’re able to find it quickly and efficiently on their own terms.
  • Resolution and response: Companies need to prepare themselves for how to deal with the reality of breaches, and build a crisis response plan to handle the fallout if the inevitable does occur.

Data breaches — incidents in which unauthorised parties access and retrieve sensitive, secure, or private data — are industry-agnostic, costly, and here to stay. In 2017, the average data breach cost US$3.6 million globally and US$7.4 million in the US, according to IBM. Those figures include direct costs, like those tied to identification, containment, and resolution, as well as indirect costs, like customer losses and brand damage, which can be vast.

Of the organisations that were breached during the year, 22% lost customers, 29% lost revenue, and 23% lost business opportunities, according to Cisco. These figures don’t even begin to account for longer-term damage that might arise from public scrutiny and diminishing brand reputation, nor do they account for costs that impact associated players, like issuers that have to reissue cards or agencies that have to alter personal information.

Meanwhile, breaches are garnering increasingly widespread attention following a seemingly unending series of high-profile incidents. A Yahoo breach in 2013 impacted all 3 billion of the tech giant’s accounts, for example, while the 2013 Target and 2014 Home Depot breaches hit 41 million and 56 million customers, respectively, and helped propel the US migration to EMV technology. Additionally, last fall’s Equifax breach exposed the information of at least 143 million US adults.

And there are corporate-side attacks too: The Society for Worldwide Interbank Financial Telecommunication, the global financial messaging system more commonly known as Swift, has been contending with high-tech heists that have enabled hackers to fraudulently transfer and steal hundreds of millions of dollars. These incidents have led to hyperawareness, as evidenced by a massive uptick in Google searches for “data breaches” from 2013 to 2017.

Therefore, it’s important for companies holding sensitive consumer data — at this point, virtually all companies — to proactively deal with the data breach threat and reactively deal with its reality. In this report, Business Insider Intelligence explores the data breach problem and identifies the leading causes of these costly incidents. We also evaluate how firms can best protect themselves from the constant looming threat of data breaches, and deal with the aftermath of a breach.

It’s important to note that, although all recommendations in this report can be applied to payments firms and merchants, these firms are often some of the best protected because of banks’ rapid innovation in fraud prevention and threat detection — these players aren’t always the key targets, but their hacks tend to be some of the most publicised.

The Breach Problem

Gemalto’s biannual Breach Level Index detected 918 data breaches in the first six months of 2017, down slightly from the same period in 2016, but up from the 815 breaches in the second half of 2016. Though the number of overall breaches seems to have peaked already, at least for now — something that various experts have pointed out to Business Insider Intelligence — that doesn’t mean the threat is necessarily declining. In fact, there’s no visible correlation between the total number of incidents and the number of records breached from 2013 onward.

It’s possible that hackers are becoming more sophisticated and efficient. The number of overall breaches for 2017 should tick down, from 1,970 in 2016 to 1,712, but the number of records breached will likely be considerably higher, as the 1.9 billion accessed in the first half of the year has already surpassed the full-year 2016 total. This could indicate that new techniques are allowing perpetrators to glean more access from fewer breaches.

Source: BI Intelligence

Breaches impact nearly all industries. Trends in breaches often ebb and flow, depending on the value of certain types of data on the dark web or ease of access, meaning that it’s common for the hardest-hit sectors to shift on a daily basis. Healthcare, financial services, education, and retail were exposed to the most breaches in the first half of 2017, though numerous other industries were impacted as well.

The Anatomy Of A Breach

To understand the anatomy of a breach and, in turn, begin building an action plan, it’s key for firms to look at two areas:

  1. Breach perpetrators: The categories of individuals or groups who perpetrate a breach.
  2. Manner of access: The point of entry that breach perpetrators use to gain access to a company’s systems, intentionally or not.

Breach Perpetrators

In its Breach Level Index, Gemalto outlines several types of breach perpetrators that fit into three major categories:

Source: Gemalto, 2017.
  1. Malicious outsider: These breaches originate outside of an organisation, when someone is seeking access to records, generally for financial gain (data can be sold on the dark web or elsewhere), but periodically for other reasons. Business Insider Intelligence includes state-sponsored attacks and those from “hacktivists,” or individuals and groups looking to expose a company for social or political reasons, in this category. Malicious outsiders are far and away the leading cause of breaches.
  2. Malicious insider: Malicious insiders, on the other hand, are individuals who intentionally perpetrate a breach from within, like what occurred during the most recent SWIFT breach. These individuals leverage their access to systems to breach data. This accounts for the smallest share of total breaches.
  3. Accidental loss: Nonmalicious actors can inadvertently cause breaches by making mistakes that open up access to systems or reveal data. These mistakes could include losing data, files, or hardware like laptops or phones; improperly disposing of records; or unintentionally accessing malware or phishing scams. And accidental loss is often a result of human error. Reg Harnish, CEO of cybersecurity firm GreyCastle Security, told Business Insider Intelligence that human beings are at “the core of all vulnerabilities,” with human error playing a role in all types of attacks. For example, a security or tech employee could build a bad program, misconfigure a firewall, write sloppy code, or fail to notice or patch a vulnerability.

Manner Of Access

In addition to knowing which actors tend to cause breaches, companies must protect themselves from three major types of causes. In doing so, they can quickly identify and patch the cause of a breach if one does occur. Combined, these access points account for over 80% of all breaches.

Source: Verizon, 2017.

Software and hardware attacks: A number of breaches aren’t perpetrated by a hacker directly, but rather by someone using software or hardware as a tool. This is the largest category of attack — 62% of breaches featured hacking in 2017, and over half included malware — figures that combine to create the 69% total cited above — according to Verizon. These are largely used by malicious outsiders, as defined above, but can be perpetrated by malicious insiders as well. There are a few major ways these hacks come about:

  • Web app attacks, where hackers use phishing or identified weaknesses to gain access.
  • Point-of-sale (POS) intrusions, where companies are accessed via vulnerabilities in their POS providers.
  • Card skimmers, which are devices installed on ATMs or other card machines that steal the payment data that’s encoded in the magnetic stripes of customers’ cards.
  • Crimeware or general malware, like ransomware.
  • Denial of service (DoS) attacks, which leverage botnets to “overwhelm” an organisation and “halt” existing operations.

Insider and privilege misuse: In misuse attacks, which are responsible for 7.6% of attacks, users with access to systems expose or leak data. These are rarely administrators or developers, but rather end users or lower-level employees, according to Verizon. In general, these types of attacks are perpetuated by malicious insiders, but they can come from malicious outsiders who manage to gain access to systems and pose as insiders.

Employee loss and error: Mistakes account for just over 11% of breaches, but they can have consequences — often, these attacks expose data at no intentional fault of any involved party. These can come from things like theft of electronic devices or records, improper disposal of records, failure to patch a key vulnerability in a key moment, server overload, or something else entirely. Either way, it’s critical that firms work to find ways to prevent these situations, and also build plans to resolve them when they do occur.

For context, the “other” category includes the small share of espionage-caused breaches that involve other means, as well as a generalised “other” group from Verizon.

Source: Verizon, 2017.

How Companies Can Cope

Companies need to find ways to secure their networks, but that isn’t enough. Mark Nelsen, senior vice president at Visa, told Business Insider Intelligence that it’s “prudent for everyone that processes data to assume that, at some point, criminals will get into their network.” He suggests that, to manage the threat, firms should invest across three fronts:

Prevention: Firms need to build a strong front door as a way of ensuring that as few breaches as possible occur.

Detection: Players need to develop institutional knowledge of their own systems, so that when a breach does occur, they’re able to find it quickly and efficiently on their own terms.

Resolution and response: Companies need to prepare themselves for how to deal with the reality of breaches, and build a crisis response plan to handle the fallout when the inevitable occurs.

In each of these areas, there are technological and organisational solutions that firms can undertake, with recommendations detailed below.

Prevention: Ensuring A Strong Front Door

Despite the inevitability of breaches, some are preventable — both Nelsen and Harnish told Business Insider Intelligence that information-sharing, and building up knowledge of the threat environment, is the best tool to prevent breaches, because it helps firms mitigate vulnerabilities before they’re exposed and taken advantage of, intentionally or not.

That means that players across industries can follow a few concrete steps to identify and guard any assets that might be of value to hackers. Here’s how they can do that:

Organisational

Understand what’s at risk, and how. Harnish noted that the most important first step is for firms to understand the five types of assets at risk: money, protected information (i.e. names, addresses, social security numbers), payment information (credit cards, in particular), intellectual property, and brand reputation. Before embarking on any protection program, firms need to identify the risk and figure out a dollar value associated with that risk — something that can be done internally, but also with the help of experts in the space. This is a step that firms often skip, according to Harnish, but it’s critical in building appropriate protections.

Ensure regulatory and standard compliance. Most industries have varying standards related to data security, like HIPAA in healthcare or PCI in payments. These standards are a good way of ensuring that firms are best protecting themselves in general ways, but also in ways specific to their industry. And while this suggestion seems obvious, it often lapses — Nelsen gave the example of a merchant adding a new POS system or other technology that’s noncompliant and increases vulnerability. Compliance is a fluid process, and it’s one that becomes more complicated by the flow of ever-changing systems and technology. Keeping tabs on compliance, and remaining familiar with standards, is critical in preventing incidents and mitigating damage in the event of a breach.

Educate and train employees. This is arguably the hardest part of threat prevention, according to Harnish, because employees are people, and they can’t be programmed. It’s important that companies keep a close eye on employees, and make sure that only the appropriate people have access to data. It’s also important that employees who do have authorised access to data are accessing it safely and remaining aware of potential vulnerabilities.

Technological

Firms can use technology to protect and secure their data. Players have several tools in their arsenal that can prevent data breaches:

Encryption: Nelsen cited data encryption as the top way to prevent a breach, because it removes direct access to secure data from the system. By encrypting data, firms are effectively rendering it useless to hackers, and making themselves unappetizing to a threatening figure. This is a relatively simple and attainable step, but one that’s often ignored — just 1% of breached records and 42 total incidents involved encrypted data, according to Gemalto.

Device security: As it becomes more commonplace for employees to work from multiple devices and access data outside of the office, firms can ban unencrypted devices from accessing data, or introduce an additional level of encryption or security clearances for these devices. This could prevent bring-your-own-device (BYOD)-based vulnerabilities.

Improve authentication: Passwords and PINs are no longer sufficient methods of protection. That’s forcing firms to move toward biometrics, or other advanced identity verification tools, to ensure their data doesn’t fall into the wrong hands. As users get more comfortable with biometric authentication — something that’s already happening, thanks to smartphone features like fingerprint verification and Touch ID — these tools will become more commonplace.

It’s also important to monitor partners and vendors. Breaches aren’t always direct — a retailer could be put at risk when a POS system that it used, or currently uses, is breached, for example, or a hospital might be put at risk when an insurer or technology network suffers a breach. Monitoring the security status of third parties, and protecting any data that breaches to these offerings might put at risk, is another way to protect assets.

Detection: Checking Up On Systems

Breach detection is a multifaceted, ever-changing process that often requires a considerable amount of time, attention, and money. Because of that, technology and developments in the space are relatively new and, therefore, underdeveloped and unreliable, making detection across the board particularly challenging.

US companies take an average of 191 days to detect a data breach, and they often don’t detect their own breaches: Over a quarter of breaches were discovered by third parties, according to Verizon, like the media or a security expert who found a company’s data floating on the internet.

It’s crucial that firms establish a baseline to speed up detection. All technology that a company uses creates logs. Whether through technology or human power, it’s important to centralise and analyse these logs frequently to be able to identify abnormalities quickly.

And it’s something companies don’t do — about a quarter of companies don’t have a baseline, according to SANS. The average cost of a breach can decrease 35% if it’s identified within 100 days, according to IBM. And the faster companies can detect a breach, the faster the response can begin, which also mitigates the lasting impacts on reputation and can help limit churn. There are a few ways companies can improve detection:

Organizational

Employees should be educated about what a breach might look like, and encouraged to report potential red flags. Seemingly harmless activities or conditions, like slow internet or devices, difficulties logging in, website redirects, or unusual IP addresses, are often the hallmarks of a breach, according to Lastline. Making employees aware of, and encouraging them to report, these red flags, can enable much more rapid detection. The best detection programs are those that spot weaknesses before they turn into “full-blown incidents,” according to Cisco, and so identifying potential issues might stop an attack in its tracks.

Technological

Breach detection is a new area, and the technology is, at best, not fully developed, with much of it still emerging. That said, there are a few areas of tech that are worth looking into and attempting to incorporate into breach detection:

Threat intelligence: Threat intelligence, defined as an “output of analysis based on identification, collection, and enrichment of relevant data and information,” focuses on analysis of data feeds (sometimes human, sometimes automated) to help firms find abnormal activity. It can be undertaken internally or contracted out from providers like McAfee or Symantec. If applied well, it’s useful — 48% of firms using threat intelligence can detect breaches earlier, and 54% say it helps them detect threats they weren’t previously aware of, according to SANS.

Machine learning and predictive analytics: Machine learning tools help companies sift through their data and rapidly detect abnormalities or discrepancies, ultimately stopping breaches earlier. It isn’t perfect, because it can generate false declines or prove too stringent, but it’s particularly valuable in detecting advanced or new breach types rapidly, which means its role will likely magnify as perpetrators become increasingly sophisticated.

DLP software: Firms can use specialized data loss prevention (DLP) software, which leverages rules and algorithms to protect information from falling into the hands of “unauthorised end users,” like a noncompany email server or other third party. It’s particularly effective at preventing insider attacks, and though no tool is 100% accurate, this type of software can often stop a breach in its tracks, or alert companies of potential threats. And though it’s often pricey, DLP is on the rise — it’s companies’ second-highest security spending priority, and should see a surge, since just under half of companies use only one type of security safeguard rather than a full suite.

Resolution And Response: Coping With The Inevitable

It’s important for firms to build a crisis response plan, and if a breach is detected, it’s essential to put that plan into place as quickly as possible. Many firms don’t do this — just 43% had a plan in 2015, and only 7% were comprehensive, though those figures may have grown — but it can be make-or-break. The same breach can have two different sets of lasting implications, depending on how it’s handled, according to Harnish: A firm that let a breach linger, didn’t have a plan, and had no safeguards will face much more severe consequences than one that took all the steps it could, was breached anyway, and dealt with it quickly.

Organisational

Ensure legal compliance. Managing a breach isn’t just essential for brand reputation — it’s a legal matter as well. Forty-eight states and Washington D.C. have legislation mandating data breach reporting, according to the NCSL. These laws differ, but most follow the model set by California’s — the first passed — which requires breached firms to notify customers “as soon as possible, without unreasonable delay,” and also defines penalties for failing to disclose, actions consumers can take, and which types of firms aren’t required to report. There is no federal bill at this time, according to CSO Online.

Protect customers. When a breach concerns information that could lead to identity theft, like identifying or payment data, companies often provide free access to credit monitoring, usually for 90 days to one year, according to Identity Guard. Credit monitoring can be costly — up to US$30 per user, or more, depending on the length of time it’s offered. And it’s often useless — “few” customers tend to use it, according to SANS, and it’s becoming so commonplace that people obtaining breached data tend to wait until the monitoring period ends to use it. But customer support, like credit monitoring, paying reissuance fees, and more, can help with brand reputation, which often takes a big hit after a breach, so it’s probably worth providing anyway.

Communicate effectively. Communicating about a breach to clients and those impacted, if third-party data is stolen, is critical. But firms have to tread carefully, because not all communication is good communication. To suffer the fewest consequences, firms need to communicate as early as possible without sacrificing accuracy. Harnish gave two examples, saying that firms don’t want to be like Target, which communicated about the breach immediately but had to continually issue updates as new developments emerged, or like Equifax, which didn’t communicate at all (and enlisted questionable practices, like offering customers credit monitoring but forcing them to waive their rights to a lawsuit if they wanted to use it) and appeared to be hiding something. Instead, firms should aim to be somewhere in between the two.

Down the line, it’s also important for firms to share their stories in as much depth as possible. Right now, businesses are reluctant to talk about data breaches, likely because of reasons that include fear of negative publicity and incurring legal liability. But ultimately, that’s hurting everyone. Most cyberattacks don’t occur in a vacuum — fraudsters will take the path of least resistance, using the same approach or tapping into the same vulnerability at company after company until it disappears. By sharing stories, threat intelligence can improve, and new types of breaches can be prevented, ultimately protecting other companies.

Technological

Before they can respond, though, firms must triage, contain, and eradicate the breach as quickly as possible. Once a breach is detected, firms must, as quickly as possible, identify what was impacted, how broad that impact was, and how it began, or what Harnish calls “Patient Zero.” Cybercrime depends on the ability to spread, so identifying the cause and containing it is critical.

This is usually done digitally through vulnerability patches, password resets, network shutdowns, and rapid encryption or deletion. Doing so quickly can limit the scope of the breach and, in turn, its ensuing fallout. Once this is done, firms can begin taking more permanent steps to eliminate the threat and return to normal operations. Harnish suggests leaving this to experts, like third-party security firms, rather than risking bungling a breach by coping internally.



Business Insider Intelligence, Business Insider’s premium research service, provide in-depth insight, data, and analysis of everything digital. Our research is fast and nimble, reflecting the speed of change in today’s business. We give you actionable insights that enable smarter and better informed decision-making. We publish in-depth reports, news, and an exhaustive library of charts and data focusing on key areas of tech: mobile, e-commerce, digital media, payments, the Internet of Things, transportation and logistics, digital health, and more.

If your organisation would like to learn more about our research, including a license to republish our charts, please contact:
[email protected]

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.