Data Breach

New Year, New Cyber Threats This is my first blog post of 2022, and I’m afraid the news I’m here to bear isn’t ideal: cyber attack stakes are high. In 2022, hackers are literally betting on a growing market spreading online across the U.S. Before I get into our Data Breach Industry Forecast, let’s take a quick look back. In 2021, we witnessed a sea of change in digital connectivity and activity during the pandemic. As vaccines became widely available and distributed, the recovery, on all fronts, felt close. But now, as new variants continue to develop and spread, it seems like we are in a one-step-forward, two-steps-back scenario—what the Ninth Annual Experian Data Breach Industry Forecast calls the “Cyberdemic Hangover.” As we aim for stability in 2022, companies must continue to secure weak technologies, and consumers must be vigilant in their daily digital lives. The 2022 Data Breach Industry Forecast report tells the story of what we’re facing this year better than I can, so I encourage you to download a copy. However, here’s a preview of one prediction to get you started. Hackers Bet on New Gamblers Again, cyber attack stakes are high. The online gambling market reached more than $70 billion globally in 2021. With more U.S. states legalizing online sports, cyber thieves will look to place scams, particularly phishing scams, on the likes of fantasy sports sites and more. The possible targets will add up over the course of the year as this market grows and alternative payments like cryptocurrency become more widely accepted. Experian’s deep expertise in helping companies navigate more breaches over the last 18 years informs the other four predictions. To find out the other areas hackers are hoping to cash in on this year, download the predictions now. Visit our website for Data Breach Resolution and Reserved Response™ insights

Hackers are playing the game of data compromise, and they are winning. At this point, companies of all sizes, from all industries, know that consumers have a growing desire to take control of their data and digital privacy. In case you missed the latest webinar and whitepaper release from Javelin Strategy & Research, it makes three things clear about consumers’ current attitudes about fraud and its impact on businesses. 1. Consumers are much more privacy-aware In 2020, consumers turned to social media and telecommunicating platforms to work, stay in touch with friends and family networks and learn. While the broad-scale increase provided a way for global commerce and connections to continue during the worldwide pandemic, it also accelerated cybercrime. The influx of internet traffic created a ready-made environment for fraudsters to profit from consumers in a big way, primarily through scams. Scams were so profitable that they accounted for $43 billion of the $56 billion reported ID fraud losses last year.1 2. Consumers blame Financial Institutions for fraud. It’s the main reason they leave.  When consumers experience fraud, they blame their financial institutions, even if the loss has nothing to do with the institution or its business’s responsibility to the consumer. This attitude shows that consumers hold FIs accountable for their data protection. And when they don’t get it, they take their expectations and their business elsewhere. The data shows the proof. In 2020, 38% of consumers closed a bank account affected by fraud, with 69% saying their primary FIs did not resolve their fraud concerns or losses.1 As the saying goes, perception is reality, and in the case of fraud, consumer thoughts have real consequences for organizations. 3. Consumers leave when breaches happen This point is simple: consumers leave even when personally identifiable information (PII) or other data is not stolen. Be prepared with a playbook or be ready to lose consumer trust To improve the customer experience, build trust and reduce risk, companies need a playbook — a fraud resolution and breach response playbook — a solid plan that falls under their existing business and continuity disaster recovery plan. Why? Because consumers need to know and, more importantly, trust that companies are prepared to react quickly and deliver resolution when a network intrusion occurs.  According to Javelin Strategy & Research data, fraud resolution is the best way to retain customers and members. In addition, consumer perception of cybersecurity plays a significant role in consumer attrition and retention. Again, even if personal information is protected, if your organization is attacked, consumers are more likely to stop doing business with your organization, even if no data was compromised. This means cybersecurity and fraud prevention empowerment is a game-changer, driving 22% of consumers’ satisfaction ratings with online banking.2 When building your playbook, consider two core things:  1. Make sure it’s well-developed A comprehensive fraud resolution and breach response should include a solid approach to collaborate with consumers when fraud occurs. Ensuring your plan includes fraud, cyber, and marketing communications teams will help your company act swiftly and build consumer confidence. 2. Don’t just encrypt data; strengthen perimeter security.  Strong perimeter security will ensure safe interactions with consumers. Even if personal information is protected, consumers will perceive a penetration of the network as a breach and will be more apt to stop doing business with your company. At Experian, preparedness is our business. We know how important fraud resolution and breach response is to your customer’s experience. Developing a solid playbook is key to that experience, building trust and reducing risk. To learn more, read the Giving Consumers Control and Enhancing Fraud Prevention whitepaper, watch the Empowerment and Fraud Prevention are Key webinar and find out how to protect your business with Experian’s Global Data Breach Solutions. 1 Javelin Strategy & Research. March 2021. 2 Javelin Strategy & Research. June 2021.

As today’s fastest-growing form of criminal activity, cybercrime is expected to cost organizations $6.1 trillion worldwide this year alone,1 with attacks on enterprises now occurring every 11 seconds2. But despite increasingly widespread growth in corporate IT security awareness, the importance of putting a sound data breach preparation plan in place for protecting your customers’ privacy and data can’t be underscored enough. Given the scale of IT security threats, it bears reminding: Network compromise is now largely a matter of when, not if for most businesses. As a result of this shift in security and operating environments, it’s important for enterprise leaders to note the six key reasons that most data breach responses fail: No Budget: Despite the seeming inevitability of a data breach, most companies’ average annual budget for a consumer response is exactly $0. Many companies and security teams believe they are fully prepared or won’t be targeted. But with losses due to ransomware attacks up 225% lately in the US alone3, it can be an expensive gamble to make. Never Tested: Even if a company does have a data breach response plan in place, it’s not usually been stressed-tested via live exercises and drills. Having a plan in place is a great first step, but unless you test it in a live breach simulation or exercise, you can’t be certain the plan will be successful. Unknown Impact: It can be hard to know how much of your customer population has been impacted by the breach. Your plan needs to be flexible enough to accommodate both small and massive breaches. No Estimate: Data breach responses also fail because there is no estimate for the scale of phone calls, emails, and complaints that may be received. To put things in perspective: A small data breach is MUCH different and easier to remedy than a one involving millions of records. Slow to Respond: By law, firms that suffer a data breach must now report the incident to government authorities within 72 hours. Failure to address increasing regulatory compliance and information sharing needs (which demand greater oversight and overhead from organizations), can come with hefty fines. No SLAs: Companies often don’t have the necessary agreements to guarantee the infrastructure and staff to assist consumers with resolving their cases. Having a dedicated, guaranteed number of call center agents ready to go when a company experiences a data breach is invaluable. To improve your odds of successfully defending against and responding to breaches, you’ll want to focus on strengthening four areas of operations: Guarantee Resources: Ensure that you have dedicated security resources and prepared to react to threats on the turn of a dime. Your SLAs should include well-trained, certified call center agents and the infrastructure ready to go. This should include scalable and high quality identity protection services to resolve harm to your customers. Readiness Testing: Failing to plan (i.e. not stress-testing your recovery plan prior to incidents occurring) is like planning to fail. By rehearsing your disaster response and recovery strategies, you’ll be able to identify any points of failure and shortcomings that you can improve upon before actual concerns arise. Regulatory Needs: Emphasize quick and accurate responses to regulator inquiries by understanding the specifics for your industry and business. Communications: Having a corporate communications plan ready to go in real-time is also key. Connect with your communications team to create a communications response plan prior to any incidents occurring so that all you largely need to tweak are specifics on the day of the event. According to studies by IBM, companies can save $1.2 million off the cost of data breaches by having an incident response plan in place and extensively testing it before cyber threats strike. Bearing this in mind, the best defense against digital dangers is a good offense. Experian’s Reserved Response™ was created to help organizations take a proactive approach to data breach response planning. Deploy it to put an end-to-end game plan in place and implement a step-by-step playbook that workers can follow in the event of  an incident. You’ll also guarantee that your organization gains the necessary manpower, infrastructure, and response readiness needed to ensure ongoing network resilience and a speedy recovery should disaster strike. 1 Cybersecurity Ventures, Annual Cybercrime Report 2020 2 Cybersecurity Ventures, Cybercrime to Cost the World $10.5 Trillion Annually by 2025 3 Cyberreason, Ransomware: The True Cost to Business Study 2021

Ransomware needs to be on your radar. Here’s why. Ransomware review Ransomware is a cyberattack where cybercriminals take over an organization’s computer network with malware. Once they assume control, the criminals demand a ransom to restore the victim’s encrypted data access. With an estimated generation of $412 million in 2020 alone1, the frequency  of these attacks is growing. At Experian, we handle many data breach cases and know that 7 of 10 breaches involve ransomware. This summer, NetDiligence dedicated a panel at its Cyber Risk Summit on the Lifecycle of a Ransomware Event and invited us to talk about our solutions to help business leaders prepare to minimize interruptions spurred by ransomware. The lifecycle of a ransomware attack includes five stages: 1. Attack Bad actors attack to discover assets, take data, extort it for direct payment, or profit from reselling data on the dark web. They can also launch a ‘double-take’ attack: first collecting ransom to access data and demanding secondary payment to keep it off the dark web. Hackers prey on company networks, searching for vulnerabilities and accessing encrypted files through phishing or planting malicious links to infect the network with malware. More than double the global rate of 14%2, U.S ransomware attacks have become more aggressive, accounting for 30% of all cyberattacks in 20202. At Experian, we’ve seen an even higher occurrence, with 59% of the events serviced 2021 to date involving ransomware. 2. Discovery Once attackers infiltrate a system, they demand a ransom for the decryption key to unlock the encrypted files. Companies usually discover the attack through a ransom note emailed to an executive, a file left on a server, or even a flashing warning on all connected computers. If they leave a message including their contact information, ransom sum, payment delivery time, and consequences for unmet conditions, such as tipping off the media, releasing stolen data, or selling it on the dark web. Next, companies will contact their cyber insurance carrier to log stolen information, get systems back online, navigate legal issues, and facilitate hacker negotiations. Since only about one-third of companies have cyber insurance, most will rush to hire cybersecurity counsel post-attack3, amounting to more stress and delays since it can take months for large companies or those without backups to determine the extent of the damage. At Experian, almost all events involving ransomware take about 20% more time to begin breach notification. Whether there is an incident plan in place or not, companies experience immense panic. 3. Negotiation Typically, a company will hire a professional, either directly or through their cyber insurance, to negotiate with hackers. While hackers expect price haggling, the ransom price could still be hefty. According to the cybersecurity firm, Coveware, the average ransom was $154,000 in Q4 2020, down from $230,000 the year before4. But hackers can drive up the price. Prime example: JBS, the world’s largest meat processor, paid an $11 million ransom in June 2021 to prevent customer data from being compromised. In a perfect world, the ransomware negotiation process goes this way: Establish communication with the attackers Obtain proof of decryption Obtain data exfiltration proof Negotiate a (huge) discount Celebrate Unfortunately, negotiations can be tricky, and the process rarely goes this way. Sometimes attackers go “dark” or request additional payments. Additionally, decryption tools may have bugs that skip mapped network drives or skip folders with long paths and unusual characters. An investigation is key to determine how hackers got in, what was exposed, and if they still have access—knowing exactly how and what was compromised will help in the negotiation. 4. Settlement After the ransom negotiations are over, companies must carefully consider the strategy behind the decision to pay or not to pay the ransom. The FBI generally discourages ransom payments because they may entice other criminals to engage in ransomware and paying does not guarantee data recovery. Additionally, the Office of Foreign Asset Control (OFAC) has payment bans and restrictions that support national security that must be upheld or face fines. At this stage, companies need to ensure that the ransom settlement does not violate constantly evolving regulations. If companies settle, the payment will typically be delivered via cryptocurrency like Bitcoin since it is harder to detect the payees. The hackers will mix the bitcoin for others diluting the currency flow and making it difficult to trace. 5. Post-Event For many companies, the settlement is just the beginning of ransomware attack costs. Companies will also have to pay to restore back-ups, rebuild systems and implement stronger cybersecurity controls to avoid future attacks. As discussed at the Cyber Risk Summit, here are five recommendations for companies to enforce tighter cyber control: Advanced Endpoint Monitoring System Restrict Remote Desktop Protocol (RDP) Regularly Update Software and Operating Systems Implement Password Management Policies Establish and Update Incident Response Plan and Ransomware Playbook Ransomware is just getting started. To minimize the impact of an attack, companies create a proactive preparedness plan. Determining to protect and scan for threats, establish negotiation and payment rules, and external breach communications, is critical. Breaches are our business at Experian. We know ransomware breaches have more complex FAQs, letter versions, and increased call center escalations. To learn how Experian’s Reserved Response solution can prepare your business for a data breach, click here. Sources:  1 Washington Post, “How Ransomware Attacks Work”, July 2021 2 Verizon 2021 Data Breach Investigations Report 3 Washington Post, “Ransomware Axa Insurance Attacks”, June 2021 4 Covewave, “Ransomware Marketplace Report”, Q4 2020

DID YOU KNOW: 74% of organizations believe their data breach response plan could be more effective if they incorporated what they learned from previous breaches?1 The COVID-19 outbreak has accelerated digital transformation and upended business and life as usual. As the threat of cybercrime and data breaches continue to disrupt businesses during this time, being prepared for an incident is a must for organizations of all sizes. Experian’s new and improved Data Breach Response Guide is here to help you defend your network and prepare for a data breach with insights and the latest industry trends. This year, we also have a new feature to help you quickly and effectively prepare for a data breach. The new Experian Reserved Response™ Hub delivers a digital, self-service destination to create, plan, prepare and pressure-test your data breach response plan. Companies that access the Hub can: Download data breach readiness reading materials Access proven notification templates Get the FAQ template and pre-breach incident checklist Access multiple levels of Experian Reserved Response™ services See Experian Reserved Response™ guarantees (with SLAs) for manpower, infrastructure, and response readiness And more! Data breach incidents can happen to any business, of any size, at any time, all over the world. On average, organizations can save $2 million if they have an established incident response team with a plan that has been tested extensively, according to the IBM and Ponemon 2020 Cost of a Data Breach Report. Failing to respond to a breach properly can cause brand damage, customer migration, executive termination, and more. Experian Reserved Response™ is the only program that guarantees SLAs and can have your plan ready in as little as three days. With over 17 years of experience managing tens of thousands of data breaches, we’re here to help you plan and pressure-test your response process. To get Response Ready™, download our latest Data Breach Response Guide and access to our new Reserved Response Hub today. 1 PwC. 2020. Digital Trust Insights Pulse Survey

Experian’s 7th Annual Data Breach Preparedness Study is available now, and its findings show organizations struggling in a few areas that are sure to see data breach activity increase this year. New to report this year: we surveyed IT and IT security, compliance, and privacy professionals in both the U.S. and the EMEA to compare the regional differences amongst organizations and their outlook around data breach preparedness. A few themes that stuck out in the study this year were: Spear Phishing and Ransomware 69% of respondents had one or more spear phishing attacks in 2019 Since 2017, respondents who say their organizations are very confident or confident in their ability to deal with spear phishing attacks has declined from 31% to 23% 36% of respondents say their organizations had a ransomware attack last year with only 20% feeling confident in their ability to deal with it The average ransom was $6,128, and 68% of respondents say the ransom was paid Confidence in Data Breach Response Plans From a reputation standpoint, only 23% of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach Only 38% of respondents believe they are effective at doing what needs to be done following a data breach to prevent the loss of customers’ and business partners’ trust and confidence Global Data Breaches Only 34% of respondents say they are confident their organizations are able to respond to global breaches, as breaches increasingly become international in scope Read the full results of Experian's 7th Annual Data Breach Preparedness Study and see how you compare to other organizations when it comes to data breach preparedness. Download the full study

Any responsible business manager knows that protection business and client data is a vital part of running a success organization. Now a new report identifies key factors that can improve a company’s ability to avoid hacks and prevent data breaches. And here’s the good news: These tactics really work. During 2018, the number of personal records exposed in data breaches soared — a total of 446.5 million pieces of data – an increase that was more than double the number of records breached during 2017, according to the Identity Theft Resource Center. The business, healthcare and financial sectors were the top three sectors hit, with hacking being the most common form of attack. But among the companies surveyed in the latest annual study sponsored by Experian Data Breach Resolution, there are important signs of hope. Despite the startling increase in the number of records stolen by data thieves – a gain of 126 percent – the number of survey participants reporting a breach increased by just 5 percent. This trend demonstrates that while hackers might be grabbing more data when they do manage to crack a database, the smaller increase in total breaches reported in the survey indicate that a growing number of institutions are improving their abilities to fend off cybercriminals. What’s their secret?  To encourage more effective strategies to handle and prevent breaches, “Is Your Company Ready for a Big Data Breach?” uncovers several important lessons learned from companies that are successfully insulating themselves – and their customers – from data theft.  Prevention is the best response: The overarching lesson that researches found is that an effective data breach response plan starts with preventing breaches in the first place, rather than reacting after customer and business data has been stolen. Of the 643 U.S. business people surveyed who work on privacy, compliance and IT security, 29 percent reported that their organizations had prevented any breach involving more than 1,000 records for the past two years. Rate your plan: The Ponemon researchers found that the percentage of companies that find their data breach response plans to be very effective increased from 42 percent in 2016 to 52 percent in 2018. Not surprisingly, more people at organizations that didn’t report a breach rated their response plans as effective – 62 percent – while 45 percent of those at companies that suffered data theft nonetheless felt their plans were effective.  Money matters: Ponemon researchers found that more investment in cybersecurity technology seemed to pay off. One of the most common factors among companies that prevented breaches was increased spending on technology to detect and prevent attacks. Of companies that prevented breaches, 73 percent increased their tech spending, versus 61 percent of those companies that were breached.  No train, no gain: An even bigger improvement came from training employees and making them aware of privacy and data protection issues and practices. The likelihood of a data breach was significantly reduced when awareness training specifically targeted employees and other stakeholders in business processes who work with or access sensitive or confidential personal data. At organizations that implemented training, 79 percent avoided a breach versus 69 percent of those that were hacked.  Cybersafety starts at the top: Executive engagement also matters. Making data security a priority among C-suite executives and corporate board members translates into keeping records safer. The study found that 54 percent of executives and 39 percent of directors were knowledgeable and engaged in planning data breach responses. At companies that were breached, 49 percent of executives and 32 percent of board members were involved with cybersecurity response.  Sharing is caring: Another key finding in preventing breaches is that organizations that sharing their insights and experiences in handling and preventing breaches improved their cybersafety. Operations that participated in learning about data protection and hacks from industry peers and government agencies were more likely to avoid a breach – 59 percent of those who joined sharing programs didn’t suffer an attack, while 46 percent of those participating experienced a breach.  Cybersafety is a process: Finally, organizations that want to stay cyber-safe might want to adopt the Boy Scout motto, “Be Prepared.” Companies that successfully prevented a data breach took several preventive measures to guard against attacks. That includes conducting regular reviews of physical security and access to confidential information, instituting third-party cybersecurity assessments, making data breach response part of their business continuity plans and creating backup websites that can be activated to provide content and information should a breach occur. For the study, Ponemon researchers surveyed 643 professionals working in information technology and security, compliance and privacy who deal with data breach response plans in their organizations. The entire comprehensive survey of cybersecurity practices – “Sixth Annual Study: Is Your Company Ready for a Big Data Breach?” – is available to download now. The Ponemon Institute, headquartered in Traverse City, Michigan, conducts independent research on data protection and emerging information technologies. Experian Data Breach Resolution helps businesses of all sizes manage the risk of fines, customer loss, negative press and litigation due to a breach of data, and is a subsidiary of Experian, the global leader in consumer and business credit reporting and marketing service operating in 80 countries. Download the Ponemon study Learn more about our Data Breach solutions

From malware and phishing to expansive distributed denial-of-service attacks, the sophistication, scale, and impact of cyberattacks have evolved significantly in recent years. With data breach as the new normal, organizations must adopt stronger, more advanced technical solutions to protect sensitive data. While enhanced technology is necessary for defending against data breaches, it cannot work independently of precautionary, often-overlooked measures like risk assessment, threat information sharing, or employee awareness and education. Even with the most cutting-edge defense systems in place, companies can’t underestimate the importance of employing fundamental security practices to mitigate cyber threats. In a climate where the risk of a data breach continues to grow, preparation is critical. “The Fifth Annual Study: Is Your Company Ready for a Big Data Breach?,” sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute, examines how organizations stack up in data breach preparedness. Organizations can help mitigate risk by employing the below best practices: Manage third-party risks: A cyberattack on partners or vendors can have dire consequences for an organization, regardless of how exhaustive its own security measures may be. The risk resulting from a third-party’s lax security measures is too great to ignore. However, only 48 percent of organizations conduct assessments on third-party cybersecurity tactics. Regularly review response plans: The threat and severity of data breaches are continually changing. Keeping a pulse on vulnerabilities is vital for any company. However, 40 percent of respondents say they don’t have scheduled times to review and update their data breach response plan. A staggering 26 percent report not reviewing or updating their organization’s plan after implementation. Opt-in to software updates: Outdated software exposes areas susceptible to infiltration, increasing a company’s risk of attack. Despite such risk, only 26 percent of respondents say employees are required to update software systems regularly. Organizations should require that all employees have the most up-to-date software available. Educate, educate, educate: Data breaches caused by employee negligence are a concern of 80 percent of respondents. Because of their access to a company’s computers, systems, and networks, employees must be actively involved in an organization’s data breach defense. Organizations should conduct regular training and awareness programs on the consequences of mishandling sensitive confidential information. Data breach preparedness is a multifaceted effort that requires cross-company support and involvement. Organizations can’t rely solely on technological solutions to thwart cyber threats. Having a solid response team in place and a well-defined process are fundamental elements of a data breach response plan that, though seemingly basic, should never be overlooked. Download our Fifth Annual Data Breach Preparedness Study

Data breach industry predictions High-profile data breaches dominated the headlines in 2017, and unfortunately, these attacks are anticipated to only increase in frequency and magnitude in 2018. Breaches like those that affected LinkedIn, Dropbox and Yahoo, serve as a wake-up call for organizations to implement processes for safeguarding sensitive data and defending against attacks. However, for every advancement in cybersecurity, cybercriminals become more sophisticated in their techniques. Just when it seems like we have learned our lesson from one breach, another, more significant one occurs. As cybercriminals continue changing the rules mid-game, it has become clear that while they’re playing chess, we’re still playing checkers. To help better prepare you and your organization for potential cyber threats, our team has put together its yearly data breach industry predictions on the issues and trends surrounding data security in 2018. Here are our five predictions for 2018: The U.S. may experience its first large-scale attack on critical infrastructure, disrupting governments, companies and private citizens. Failure to comply with new EU regulations will result in large penalties for U.S. companies. Perpetrators of cyber-attacks will continue to zero in on governments – this could lead to a shift in world power. Attackers will use artificial intelligence (AI) to render traditional multifactor authentication methods useless. Vulnerabilities in Internet of Things (IoT) devices will create mass confusion, leading to new security regulations. Download our complimentary report to learn more about how these trends will shape the coming year, see how we scored against our 2017 predictions, and check out our new section revisiting predictions dating back to our inaugural 2014 report.

“Are we next?” That’s the question companies around the world are grappling with as more high-profile data breaches make headlines. At a time when one in four organizations experience cyber-attacks, mishandling the response can do more damage than the breach itself. We take precautions against dangerous situations every day. With years of practice either in school or at work, most of us know what to do if there’s an emergency. We conduct drills repeatedly because when we immediately know how to respond to a threatening situation, we can minimize destruction. Because of the high probability of a cyber-attack, businesses need to treat breach responses like internal drills, repeatedly practicing until it becomes instinctive. Prepare your data breach response drill A well-prepared incident response strategy should first define all breach scenarios (e.g., ransomware, malware, phishing, etc.) and their specific steps. Assembling a qualified team is also critical, individual roles and responsibilities should be defined and clearly communicated. After finalizing the essential components of your incident response plan, regular testing is crucial to ensuring your organization is equipped to handle the unexpected. Practice makes perfect Below are six principles to help guide your data breach response drill effectively: Bring in an outsider. Enlist the expertise of someone outside your organization to run the drills and serve as a moderator. A third-party facilitator allows you and your team to focus on individual tasks and responsibilities. Put aside plenty of time. At a minimum, give your team half a day to do the exercise and to debrief. It’s an exercise for everyone. All internal and external team members who will be involved in a data breach response need to participate in this activity. Expect the unexpected. Your drills should include various likelihoods and situations. Another benefit to bringing in an outside moderator is that they can throw unpredictable scenarios at your team. Debrief. After the exercise, the entire team should review, discuss each mock situation in detail, and identify any areas in need of improvement. Repeat every six months. Keep your team aware of the latest developments in the world of cybersecurity and prepared to tackle cyber threats by conducting drills every six months. Executing these drills are invaluable and help prove to your stakeholders, customers and employees that your company takes data security seriously. The more you practice putting your plan into action, the better prepared you’ll be in a real-life situation. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches.

Businesses may be increasingly aware of identity theft threats to their customers, but an Experian survey shows that many consumers still seriously underestimate their risk of falling victim to identity thieves. In fact, the persistent and harmful myth that the majority of consumers are not vulnerable to identity theft is badly in need of debunking. Consumer misconceptions The online Experian survey of 1,000 Americans, age 18 and older, found many consumers have a false sense of security about identity theft, even those who regularly engage in behaviors that can dramatically elevate their risk of having their identities stolen. For example: Sixty-two percent of consumers said the security of their personal information online is a minor concern that doesn’t worry them much, and 17 percent never worry about it at all. The top reason for their lack of concern? Twenty-seven percent said it was because they didn’t share that much personal identifiable information (PII) online. Yet consumers store an average of 3.4 types of PII online, and have a large digital footprint that can make it easy for cybercrooks to track and steal their information. Half believe poor credit means identity thieves won’t be interested in stealing their PII. Twelve percent believe they’re safe because they take security precautions, and 9 percent think using only secure websites insulates them from identity theft risks. Risky behaviors When identity theft occurs, consumers are likely to blame any business they associate with the theft. A Gemalto survey found that consumers said protecting their data is 70 percent the responsibility of the companies they do business with, and just 30 percent their own responsibility, Infosecurity Magazine reports. What’s more, 29 percent said they don’t think businesses take their responsibilities seriously enough when it comes to protecting consumer data. Yet the survey found consumers are probably far more responsible for identity theft than they think because they continue to engage in behaviors that put them at greater risk. These include: Shopping online over a public Wi-Fi connection (43 percent) Allowing others to use online account names and passwords (33 percent) Letting others know their mobile device passwords (29 percent) Sharing payment card numbers and/or PINs (25 percent) Letting others use their PII to secure a job or credit (20 percent) Failing to enroll in credit monitoring or identity theft protection services (82 percent) Leaving it up to their banks and credit card companies to catch signs of fraud (81 percent) These dangerous habits can expose consumers’ PII to cybercriminals, even though half of those we surveyed didn’t think they were likely to become victims of identity theft. Impact of identity theft When consumers become identity theft victims, they experience a range of negative emotions and real consequences that affect them personally and financially. According to a survey by the Identity Theft Resource Center, identity theft victims reported feeling frustrated, fearful, angry and stressed. Many had trouble concentrating, lost sleep and felt physically ill because of the crime. They also reported the identity theft overshadowed their personal relationships, their personal and professional credibility, and even affected their ability to get jobs. Some even lost their jobs as a result. What companies can do Clearly, identity theft can be devastating and consumers need to do more to protect themselves. When it occurs, identity theft also undermines the consumer’s trust in companies and institutions, especially if the identity theft occurred in connection to or following a data breach. Helping consumers protect themselves from identity theft benefits everyone. Consumers can avoid the financial and emotional turmoil identity theft causes, and companies can help preserve their relationship with customers. As part of an effective data breach response plan, companies should include a consumer care element that provides breached consumers with: Free identity theft protection and credit monitoring services Dark web and internet records scanning Fraud resolution services Identity theft insurance Myth debunked Year after year, identity theft statistics demonstrate that most consumers are at risk of falling prey to identity thieves, no matter what they believe to the contrary. Unfortunately, consumers continue to take actions that can place their identities at risk. While you can’t force your customers to stop accessing their bank accounts over airport Wi-Fi or using the same password for all their financial accounts, you can take steps to reduce the risk they’ll experience identity theft because of something your organization did or didn’t do. Helping consumers protect themselves from identity theft makes good business sense, and it’s the right thing to do. Plus, consumers expect it; according to the Ponemon Institute’s “Mega Data Breach: Consumer Sentiment” survey, 63 percent of consumers believe a company that experiences a data breach should offer free identity protection to customers affected by the breach. Learn more about our Data Breach solutions

When a cybersecurity incident occurs, will your organization’s data breach response contribute to customer retention or undermine it? Multiple studies and surveys illustrate that how well a company supports consumers in the wake of a security event directly affects customers’ perceptions of and loyalty to the breached company. Consumers expect companies to help them manage the potential and real fallout of a data breach. Failing to do so can increase post-breach churn, whereas successfully helping consumers can equate to greater retention. In particular, offering monitoring services to customers affected by a cybersecurity incident could make the difference between retaining those customers and their good will, or losing them to the competition. Consumer impact Research by Experian Data Breach Resolution and our partners reveals how data breaches affect consumers: 76 percent of consumers who’ve experienced a data breach cite stress as the primary consequence. 39 percent cite the time they had to spend resolving problems caused by the breach as the worst consequence. Nearly half of those affected by a data breach feel it will put their identities at risk for years to come. Consumers want companies to step up after a breach and provide identity theft protection (63 percent), credit monitoring (58 percent) and even compensation in the form of cash, products or services (67 percent). Four out of every five consumers who received a data breach notification continued to do business with the company through which their information was compromised, but they didn’t necessarily stay because they were satisfied. Just 45 percent of consumers say they continued doing business with the company because they were happy with the way the company resolved the data breach. Instead, 67 percent said they stayed because going elsewhere was just too difficult, and 61 percent thought moving their business wouldn’t give them access to any greater security since data breaches are unavoidable. If you provide it… Even more compelling for the case in favor of offering post-breach monitoring services to affected consumers is this statistic from our research: Nearly three quarters (72 percent) of breached consumers take action after being notified of a breach, including updating their anti-virus software and reviewing online account activity or security policies. Twenty-nine percent accepted offers of free identity protection services. Consumers are increasingly aware that being caught up in a data breach can increase their risk of experiencing identity theft, either immediately following the event or in the future. They are willing to take steps to protect themselves, and they want breached companies to help them. Providing post-breach monitoring services can help protect consumers from the possibility of identity theft related to the breach, and help protect companies from the loss of business that can result when customers feel the organization hasn’t done enough to aid them. Learn more about our Data Breach services

Most companies aren’t prepared to respond to a global data breach, and aren’t yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), even though it takes effect in less than a year, according to the latest Ponemon Institute report sponsored by Experian® Data Breach Resolution. Nearly a third of the 588 information security and compliance professionals interviewed for the survey said their organizations had no global incident response plan in place, and 38 percent have a single plan that’s applied around the world. Just 27 percent reported having separate plans at the country or regional level, but even those who had a plan weren’t confident about its efficacy. The global scope of data breaches The number of data breaches reached a record high in 2016 — 4,149 incidents in 102 countries around the world exposed more than 4.2 billion records, according to cybersecurity company Risk Based Security. Ponemon’s survey underscores the scope of global data breaches; 51 percent of respondents reported their companies experienced a global data breach in the past five years, and 56 percent of breached companies had more than one incident. When the GDPR goes into effect in May 2018, any company that processes and/or holds the personal data of European Union consumers will be required to comply with the regulation, regardless of where the company is located. Failure to comply can lead to fines ranging from 2 percent to 4 percent of a company’s annual global turnover. Despite the escalating risks of falling victim to a global data breach and the possible repercussions of not complying with the GDPR, Ponemon’s survey shows a widespread lack of preparedness among companies. Levels of unpreparedness When it comes to preventing and responding to a global data breach, and ensuring they comply with the GDPR’s strict notification rules, many survey respondents expressed significant shortfalls in preparedness: Outdated and inadequate security solutions would hinder the ability of 49 percent to cope with a global data breach. Just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas, and only 39 percent said they had the right policies and procedures to do so. Slightly more than a third thought their companies could successfully manage cultural differences and privacy and data security expectations in different areas of the world. A majority of respondents (89 percent) predicted the GDPR will significantly affect their data protection practices, and 69 percent felt non-compliance would hinder their companies’ ability to do business globally. Yet only a quarter said their companies were ready to comply with the new regulation. While most understand GDPR is something they need to worry about, many aren’t sure what to do. The survey reveals some companies may be feeling desperate enough about the looming regulation to take drastic measures; 34 percent said their preparations include closing operations in countries with high non-compliance rates. Timely notification of regulators and EU citizens affected by a data breach is a key component of the GDPR, yet the majority of our survey respondents (69 percent) said they would have trouble meeting the time limitations. The GDPR requires breached companies to notify regulators within 72 hours of discovering a breach, and affected consumers “without undue delay.” Half of our survey respondents said they experienced a global breach that required notification of victims. Only 10 percent were able to do so within the GDPR’s 72-hour window; 38 percent reported notification took two to five months to complete. Obstacles to preparedness The years-long evolution of the GDPR, which will replace older regulations, is evidence that world governments are taking data breach risks seriously. Unfortunately, our study indicates not all C-suite decision-makers are as concerned about global data breach risks as they should be and their antipathy is impairing their organizations’ ability to prepare for a global data breach. While the security professionals surveyed cited high-volume breaches (65 percent) and breaches involving high-value information (50 percent) as the data risks that concern them the most, only 30 percent said their organization’s C-suite was fully aware of the company’s compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority. Technology limitations and lack of executive support are significant obstacles to preparedness and compliance, but they’re not the only ones. Additionally, survey respondents cited: Reluctance to make needed comprehensive changes in business practices (60 percent) Not enough budget to hire staff (37 percent) Unrealistic demands from regulators/regulations (35 percent) Not enough money for appropriate security technology (34 percent) Lack of knowledge about global data breach response (29 percent) What companies must do Some survey respondents indicated their organizations are taking the right steps toward preparedness and compliance. They are putting in place security technologies to quickly detect a data breach (48 percent), have tested and proven response plans (44 percent), can quickly identify whether a breach will require notification (15 percent) and are prepared to notify regulators within 72 hours of breach discovery (13 percent). However, many organizations could be doing more to prepare for a global data breach and to comply with the GDPR. Global data breach risks continue to increase in number, scope and impact, and the potential loss of business and financial impact of a breach could prove catastrophic for affected companies. With less than a year to go until the GDPR takes effect, any company that conducts business internationally needs to act now to ensure it will be ready to deal with a global data breach when it occurs. Learn more about our Data Breach solutions

Like an unimmunized person in a roomful of flu patients, the healthcare sector continues to be at high risk of catching something unpleasant. Cyberattacks and data breaches jeopardize the well-being of healthcare organizations of every size, and too often their exposure is a result of not doing everything they can to immunize themselves against attack. In our 2017 Data Breach Industry Forecast, we predicted the profitability and uneven defenses of the healthcare sector would cause cybercriminals to continue to focus attacks on healthcare organizations. Numbers from the Identity Theft Resource Center indicate our prediction was right; by mid-year, 151 healthcare breaches have compromised more than 1.9 million records, accounting for nearly 22 percent of all 2017 breaches thus far. We also predicted: Ransomware would emerge as a top threat for healthcare organizations. Cybercriminals would expand their range of targets within the sector, causing mega breaches to broaden their focus from insurers to other organizations, including hospital networks. Electronic health records and mobile applications would increasingly be targeted. The year so far In mid-May the WannaCry ransomware cyberattack became the largest ever, affecting computer systems in more than 150 countries. Ransomware uses malicious code to infect systems, seize control and shut down user access until the affected organization or individual pays a ransom to unlock their systems. Britain’s National Health Service (NHS) was one of the largest victims of WannaCry, which infected medical devices as well as administrative PCs. The impact was widespread, affecting critical operations and causing hospitals to reject patients, doctor’s offices to shut down and emergency rooms to divert patients. Like a patient with a compromised immune system who ignores his doctor’s advice to get an annual flu shot, the NHS allegedly disregarded multiple security warnings to update and protect its systems. Cybercriminals have also expanded their targets for mega breaches beyond insurers. So far in 2017, the largest known healthcare breach in terms of number of compromised records occurred at a urology practice in Austin, Texas. ITRC statistics show nearly 280,000 records were compromised through the breach of the practice, which has eight locations in the greater Austin area. According to the practice’s official data breach notice, a ransomware attack encrypted data stored on the organization’s servers. Electronic health records were the target of cyberattacks at numerous healthcare organizations, including a fertility and menopause clinic in New Jersey, where more than 17,000 records were compromised, ITRC reports. The number, scope and impact of healthcare cyberattacks will only grow. The industry that focuses on taking care of Americans’ physical and mental health should proactively take steps to safeguard its own health by updating security measures and data breach response plans. Learn more about our Data Breach solutions

Risk managers, legal experts and brokers say phishing and social engineering are, by far, the biggest security threats facing their companies and clients. In fact, 80 percent of legal experts polled by Advisen for Experian Data Breach Resolution’s 2017 Cyber Risk Preparedness and Response Survey, 68 percent of brokers and 61 percent of risk managers cited phishing/social engineering as their top concern. Why do they feel that way? A look at the numbers and some insight into human nature can explain their fears — and help you understand why your organization should be just as concerned about phishing risks. By the numbers Phishing and social engineering are particularly effective forms of cyberattack because they use technology and knowledge of human nature to manipulate employees into actions that serve the attacker’s purpose. How effective are they? Employees succumbing to a targeted phishing attack was one of the top two insider risks cited by executives who responded to the Ponemon report Managing Insider Risk through Training and Culture. Sixty-one percent of information security professionals polled by Wombat Security for its 2017 State of the Phish report said their organization had been the victim of a phishing attack. According to the Ponemon Fourth Annual Preparedness Study, 38 percent of respondents are not confident they can deal with a spear phishing incident The human risk factor Phishing in general and spear phishing in particular are successful because human beings are often the chink in an organization’s cybersecurity armor. All it takes is one overly curious and under-cautious employee clicking on a suspicious email, or a well-meaning worker who responds to a seemingly authentic request for proprietary information. Those scenarios are the stuff of nightmares for information security professionals, and unfortunately they happen all too frequently. Multiple studies show that negligent employees cause more data breaches than other sources, whether they succumb to a phishing attack or lose a company laptop at the airport. However, studies also show that cybersecurity training, including a component on phishing, can help reduce employee-related risks. Training is critical Among organizations that train employees on how to spot and avoid phishing attacks, 52 percent reported they were able to see quantifiable results — fewer successful attacks — based on their training, Wombat said. Respondents to the Advisen survey stressed the importance of creating a company culture in which cybersecurity is everyone’s job and knowledge of phishing and how to thwart attacks is the norm. Employee training in cybersecurity should begin as part of the onboarding process when the worker joins your organization, and everyone should get a refresher at least annually. While 67 percent of those surveyed by Ponemon said their organizations didn’t incentivize employees to proactively protect sensitive information or report potential issues, any successful culture of security should reward those who are embracing their roles as protectors — and not just punish those who fall short. Learn more about our Data Breach solutions