Tag: Data Breach

Every day, millions of new things get connected online, such as toasters, heart monitors and cars. Many of these things have weak security controls that create vulnerabilities in critical private networks. As more products get connected, the casual mindset about the security risks inherent in the Internet of Things must begin to change. Here are 12 tips to help safeguard your systems from the Internet of Things. >> Securing the Internet of Things

What keeps your cyber security team up at night, and does it weigh equally on the minds of managers? Do they lose sleep worrying about malicious attacks from outside your organization? Or do they fear a careless employee will leave a laptop in an unlocked car or use an unsecured personal mobile device to access proprietary company information? Employee-related security risks are the top concern for security professionals, our new study, Managing Insider Risk Through Training & Culture, found. The Ponemon Institute polled more than 600 information security professionals at companies that have a data protection and privacy training program. The study found that while 55 percent of those surveyed have already had a malicious or negligent employee cause a security incident, few are taking adequate steps to improve security from within. Not on the same page One reason for this could be the imbalance between how the IT department perceives employee risk and how the C-suite does. While 66 percent of security professionals view employee-related risk as the biggest security threat, just 35 percent of them say their senior managers share that view. They may also feel less able to catch slip-ups versus intentional acts; security pros are far more concerned that an employee will unintentionally cause an incident than they are about workers potentially perpetrating malicious attacks. Often, companies focus their cyber security efforts on preventing, catching and remedying intentional attacks. And while they can do much to reduce the risk of employees unintentionally causing an incident, few companies are doing everything they can. Less than half (46 percent) of the surveyed companies require cyber security training for all employees, and 60 percent don’t make employees retrain after a data breach. Actionable suggestions for teachable moments The problem of employee-related security risks is not unsolvable. Companies need to take steps to create a culture of security at every level of their organizations. These steps should include: Requiring mandatory advanced-level training for all full and part-time employees and contract workers. Typically, companies that do provide training don’t require it for all employees, or they take a tiered approach that fails to provide all employees with a comprehensive understanding of the risks. Our study found just 43 percent of companies provide only one basic course for all employees. Basic courses often omit significant risks that can lead to a data breach. What’s more, retraining needs to occur on an ongoing basis, as new threats emerge in the cyber security realm. Retraining is especially important following a breach, when employees’ awareness of cyber security risks is highest. Establishing and enforcing a system of carrots and sticks. More than half (56 percent) of companies deal with an employee’s careless handling of data by having that employee meet one-on-one with a superior, and 51 percent have them meet with an IT security person. Less than half (45 percent) give formal reprimands, 19 percent demote the employee, and 16 percent cut salary, bonuses or incentives. However, sticks are only half the solution. Companies also need to incentivize employees to be cognizant of cyber security and few are doing a good job of it. In fact, 67 percent do nothing at all to encourage employees to proactively protect data. Employees should be a company’s greatest asset. With the right training and an ongoing emphasis on cyber security, every member of your corporate team can help reduce your organization’s risk of a negligence-related cyber security incident. Download the report

I am pleased to share the news on this blog that Experian has signed a definitive agreement to acquire CSIdentity Corporation (CSID), a leading provider of consumer identity management and fraud detection services. For the Data Breach Resolution group in particular, this is a major development. It will enhance our capabilities to provide best-in-class identity theft protection services to our clients who have suffered a data breach. When breaches occur, they not only affect the company but also the consumers whose personal information was exposed.  It’s imperative that organizations offer quality protection in the aftermath. With CSID, we can now offer more flexible and tailored product configurations to meet client needs. The acquisition also expands our footprint globally for U.S. companies who have an international reach. Unfortunately, data breaches will continue to occur. Companies must prepare and enlist the best partners to help them through the process. We feel this makes us an even better leader in the industry. For additional details, read our press release. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches.

What difference does $4.40 make? It can’t buy you much on its own, but it can make a world of difference when you’re handling the aftermath of a data breach or other cyberattack. That’s how much cyber insurance protection reduces the per-record cost of a data breach, according to the Ponemon Institute’s 2015 Cost of a Data Breach report. Whether you’re a small business owner with just a few hundred customers or a global corporation with records in the millions, the cost of being without cyber insurance in the wake of an incident can be extreme. When you consider the sheer number of records involved in recent mega-breaches — more than 78 million in the Anthem breach alone — the cost reduction can easily soar into hundreds of million dollars saved. And while smaller businesses may have fewer records to be breached, the impact of an attack can be even more devastating to them than to global entities when they experience a mega-breach. Yet less than one-third (32 percent) of businesses surveyed for Ponemon’s study reported having cyber insurance. The percentage was a bit better when the Risk Management Society (RIMS) asked 284 of its members about cyber insurance; 51 percent reported having stand-alone cyber insurance policies. Even fewer small businesses report having cyber insurance. Just 5 percent of small business owners surveyed by Endurance International Group said they carried cyber insurance, despite 81 percent believing cybersecurity is a concern for small business. Those who have cyber insurance clearly understand its value. RIMS members said they bought policies to: Reduce the risk of an incident damaging their company’s reputation (79 percent). Minimize the potential impact of business interruption (78 percent). Aid in data breach response and notification (73 percent). What’s more, of the RIMS members who didn’t have cyber insurance, 74 percent said they were considering buying it within the next 12–24 months. While small business owners also appear aware of the risk, they seem less cognizant of the benefits of cyber insurance and other cybersecurity measures. Endurance found that although 94 percent of small business owners said they do think about cybersecurity issues, and nearly a third have experienced an attack or an attempt, just 42 percent have invested in cybersecurity in the past year. A widely reported study by the National Cyber Security Alliance asserts that 60 percent of small businesses that experience a data breach go out of business within six months. Cyber insurance premiums vary widely and are largely tied to a company’s revenues and exposure. Policies typically aim to address risks commonly associated with a cyberattack, including: Liability for loss of confidential information that occurs through unauthorized access to a company’s computer systems. Data breach costs including notification of affected consumers, customer support and providing credit monitoring to affected customers. The costs of restoring, improving or replacing compromised technologies. Regulatory compliance costs. Business interruption expenses. Of course, like virtually any other type of insurance, cyber insurance policies can be customized to address the risks facing the individual policy holder. Many in the insurance industry feel that cyber insurance products have matured, evolving into a type of protection that businesses both large and small simply can’t afford to do without. When you consider the devastating risk of facing a cyberattack without insurance, that simple per-record cost savings of just $4.40 takes on a much deeper meaning. While more large companies are seeing the value of cyber insurance, small business owners need to begin incorporating this valuable type of protection into their overall cyber security plans. Learn more about our Data Breach solutions

Leveraging customer intelligence in the age of mass data compromise Hardly a week goes by without the media reporting a large-scale hack of sensitive personal or account information. Increasingly, the public seems resigned to believe that such compromises are the new normal, producing a kind of breach fatigue that may be lowering the expectations consumers have for identity and online security. Still, businesses must be vigilant and continue to apply comprehensive, data-driven intelligence that helps to thwart both breaches and the malicious use of breached information and to protect all parties’ interests. We recently released a new white paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise, to help businesses understand how data and technology are needed to strengthen fraud risk strategies through comprehensive customer intelligence. At its core, reliable customer intelligence is based on high-quality contextual identity and device attributes and other authentication performance data. Customer intelligence provides a holistic, bound-together view of devices and identities that equips companies and agencies with the tools to balance cost and risk without increasing transactional friction and affecting the customer experience. In the age of mass data compromise, however, obtaining dependable information continues to challenge many companies, usually because consumer-provided identities aren’t always unique enough to produce fully confident decisioning. For more information, and to get a better sense of what steps you need to take now, download the full white paper.

Imagine the following scenario: an attacker acquires consumers’ login credentials through a data breach. They use these credentials to test account access and observe account activity to understand the ebbs and flows of normal cash movement – peering into private financial records – verifying the optimal time to strike for the most financial gain. Surveillance and fraud staging are the seemingly benign and often-transparent account activities that fraudsters undertake after an account has been compromised but before that compromise has been detected or money is moved. Activities include viewing balances, changing settings to more effectively cover tracks, and setting up account linkages to stage eventual fraudulent transfers. The unfortunate thing is that the actual theft is often the final event in a series of several fraudulent surveillance and staging activities that were not detected in time. It is the activity that occurs before theft that can severely undermine consumer trust and can devastate a brand’s reputation. Read more about surveillance, staging and the fraud lifecycle in this complimentary whitepaper.

The experience of being a victim of data breaches has created a shift in consumer behavior and attitude over the past year. A recent Ponemon Institute study found that more than one-third of consumers ignored data breach notification letters, taking no action to protect themselves against fraud. To combat data breach fatigue, companies should communicate with customers sincerely and avoid treating the notification process as a compliance issue. Notification letters should include an apology, a clear explanation of what happened and why, and steps consumers can take to protect themselves from fraud. 2015 Data Breach Industry Forecast

The news of the latest breach last week reported that tens of millions of customer and employee records were stolen by a sophisticated hacker incursion. The data lost is reported to include names, birth dates, Social Security numbers, and addresses. The nature of the stolen data has the potential to create long-term headaches for the organization and tens of millions of individuals. Unlike a retailer or financial breach, where stolen payment cards can be deactivated and new ones issued, the theft of permanent identity information is, well, not easily corrected. You can’t simply reissue Social Security numbers, birth dates, names and addresses. What’s more, the data likely includes identity data on millions of dependent minors, who are prime targets for identity thieves and whose credit goes frequently unmonitored. According to the Identity Theft Resource Center’s 2014 Data Breach Report, a record 783 breaches, representing 85 million records, occurred from January through September 2014 alone. The breaches have ranged across virtually every industry segment and data type. So where does all this breached data go? It goes into the massive, global underground marketplace for stolen data, where it’s bought and sold, and then used by cybercriminals and fraudsters to defraud organizations and individuals. Like any market, supply and demand determines price, and the massive quantity of recent breaches has made stolen identities more affordable to more fraudsters, exacerbating the overall problem. In fact, stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. The big question: So what now? The answer: Assume that all data has been breached, and act accordingly. Such a statement sounds a bit trivial, but it’s a significant paradigm shift. It’s a clear-headed recognition of the implications of the ongoing, escalating covert war between cybercriminals and fraudsters, on one side, and organizations and consumers on the other. For individuals, we need to internalize this fact: our data has likely been breached, and we need to become vigilant and defend ourselves. Sign up for a credit monitoring service that covers all three credit bureaus to be alerted if your data or ID is being used in ways that indicate fraud. Include your children, as well. A child’s identity is far more valuable to a fraudster as they know it can be several years before their stolen identity is detected. Many parents do not check their child’s credit regularly, if at all. For organizations, it’s a war on two fronts: data protection and fraud prevention. And the stakes are huge, bigger than many of us recognize. We’re not just fighting to prevent financial theft, we’re fighting to preserve trust — trust between organizations and consumers, at the first level, and ultimately widespread consumer trust in the institutions of finance, commerce, and government. We must collectively strive to win the war on data protection, no doubt, and prevent future data breaches. But what breaches illustrate is that, when fundamental identity data is breached, a terrible burden is placed on the second line of defense — fraud prevention. Simply put, organizations must continually evolve their fraud prevention control and skills, and minimize the damage caused by stolen identity data. And we must do it in ways that reinforce the trust between consumers and organizations, enhance the customer experience, and frustrate the criminals. At 41st Parameter, we are at the front lines of fraud prevention every day, and what we see are risks throughout the ecosystem. Account opening is a particular vulnerability, as consumer identity data obtained in the underground will undoubtedly be used to open lines of credit, submit fraudulent tax returns, etc. unbeknownst to the consumer. Since so much data has been breached, many of these new accounts will look “clean,” presenting a major challenge for traditional identity-based fraud and compliance solutions. But it’s more than new accounts — account takeover, transactions, loyalty, every stage is in jeopardy now that so much identity data is on the loose. Even the call center is vulnerable, as the very basis for caller authentication often relies on components of identity. At 41st Parameter and Experian Fraud & Identity solutions, we advocate a comprehensive layered approach that leverages multiple solutions such as FraudNet, Precise ID, KIQ, and credit data to protect all aspects of the customer journey while ensuring a seamless, positive user experience across channels and lines of business. Read our fraud perspective paper to learn more. Now is the time to take action.  http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924

Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks. The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012. And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach. Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures. Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach: A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats. About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs. Only 29 percent of companies involve the CEO in dealing with security risks. Nearly three-quarters don’t have cyber insurance policies. Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident. Less than a third had SIEM systems to facilitate early detection of an incident. 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices. Those who have made provisions don’t necessarily feel more secure because of them: 62 percent don’t feel their organizations are prepared to respond to a data breach. 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators. Just a quarter were confident they could communicate about a breach and manage customer needs. 40 percent worry about the potential for a third party losing their data. Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns. As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach. Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis.  It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time.  When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response. Learn more about our Data Breach solutions

As data breaches continue to attract publicity, consumers are expecting more from impacted organizations.

A recent study conducted by the Ponemon Institute found that a data breach is among the top three occurrences that affect brand reputation, along with poor customer service and an environmental incident.

Data breach notification letters serve multiple purposes. They ensure a breached company is compliant with data breach notification laws, they alert consumers to the breach and their involvement in it, they can warn customers of potential identity theft risks and educate them on how to cope with those risks. The one thing no company wants its notification letter to do, however, is make the recipients any more upset than they already are. Yet that’s the reaction many consumers reported upon having received data breach notification letters, according to the study “The Aftermath of a Mega Data Breach: Consumer Sentiment.” Conducted by the Ponemon Institute on behalf of Experian Data Breach Resolution, the study provides some eye-opening insights into how consumers feel and what they do after receiving a breach notification letter. To put consumer sentiment in perspective, consider these revelations from the study: Among those polled, 63% said they felt the breached company should offer consumers identity theft protection by way of compensation, yet just 25% of people who had received a notification letter said were offered identity theft protection in that letter. The financial impact of the data breach was less significant for consumers than the emotional aspects. 81% of data breach victims said they had not out-of-pocket costs because of the breach. Conversely, 76% said they experienced stress as a result of the breach. Consumers ranked a data breach as the third-most damaging event for a company’s reputation. Only poor customer service and an environmental incident (e.g. an oil spill or pollution) were seen as more damaging. Other than getting stressed, what, then, do consumers do after they’ve received a data breach notification letter? Most do little or nothing at all, which should be just as concerning to companies as the customers who end their business relationship with a company in the wake of a data breach. More than half (55%) said they did nothing to protect their identities after receiving a notification letter, and 32% ignored the notifications and did nothing at all. This may seem counter-intuitive considering that the majority (77%) were at least somewhat to very concerned about becoming an identity theft victim because of the breach. Perhaps if these customers had been offered free identity theft protection in the notification letter, they would have accepted the offer. These survey results underscore the need for companies to send strong, informative and compassionate data breach notification letters – and to offer consumers identity theft protection as part of the company’s data breach response. Learn more about our Data Breach solutions

When a data breach occurs, laws and industry regulations, dictate when and if you need to notify consumers whose data might have been compromised. However, many consumers would also probably argue that you’re morally obligated, to notify them of data loss; they want you to tell them of the breach and to do so in a courteous, straightforward manner. Because of this, a breach notification letter is an integral piece of a firm’s breach response as these often are the first inkling consumers have that their information may have been compromised, and their identities might be at risk. It’s imperative those letters be efficient, effective – and perhaps most importantly – humane. A 2014 study by the Ponemon Institute and Experian Data Breach Resolution indicates consumers feel there’s room for improvement in data breach notification letters. The survey polled people who had received a data breach notification letter. Sixty-seven percent of those surveyed said they want letters to better explain the risks and potential harms they may face as a result of the breach, 56 want the letter to disclose all the facts, and a third didn’t want the letter to “sugar-coat” the situation. A quarter wanted the letters to be more personal. The Experian Data Breach Resolution team has vast experience with breach notification letters and data breach notification regulations. In our experience, here are the five most common and egregious errors to avoid when sending a data breach notification letter: 1. Keeping the consumer in the dark about the details. Customers will want to know what information was compromised in the breach. Was it their Social Security number? A credit card number? Their home address? Consumers can’t protect themselves from further harm if they don’t know exactly what’s at risk. Don’t leave them guessing. Tell consumers exactly what information was compromised in the breach. 2. Speaking “legalese.” Reverting to legalese – highly complex verbiage largely understandable only to lawyers – is a defense mechanism for companies, and it doesn’t really help the consumer. Twenty-three percent of those polled by Ponemon said the letter they received would have been better if it had less legal or technical language. Keep letters short, factual and simply worded so that the average Joe or Jane can understand them. 3. Leaving out the ramifications and risks. It’s not enough to simply tell consumers they’ve been involved in a breach. It’s not even enough to tell them what information has been compromised. To truly empower them to protect themselves from further harm, you need to alert consumers to what those risks may be. Consider the type of data that was lost, then explain the risks that can be associated with that type of data loss. 4. Failing to offer an olive branch. Whether the breach was your fault or not, consumers will hold you responsible and they will feel they should get some kind of compensation for all the grief the breach will cause them. Providing breached customers with an identity protection product not only helps protect them, but it shields your company’s reputation, too. In the Ponemon study, 67 percent of consumers said they felt companies should offer some form of compensation – whether cash, product or service – to consumers caught in a data breach. Sixty-three percent said the company should offer them free identity theft protection and 58 percent wanted free credit monitoring.  Interestingly, 43 percent also said a sincere and personal apology might help convince them to keep their business with the breached organization.. 5. Failing to seize the chance to rebuild trust. There’s no question that a data breach undermines customer trust. Some customers will leave a breached company. Among polled customers who remained with the breached company, inertia seemed a major factor in their decision not to go elsewhere; 67 percent said they stayed simply because it was too difficult to find someone else to offer the same products or services. Less than half (45 percent) said they stayed because they were happy with how the company handled the data breach. Breach letters are actually an opportunity to begin rebuilding trust. Explain to consumers what you’re doing to reduce the risk of future breaches, and how you’re taking steps to help protect them from further harm. Despite your best efforts, a data breach can occur. When it does, the data breach notification letter is your all-important point of first contact with affected consumers. Craft it well and the letter can be a valuable tool for mitigating reputation damage and rebuilding trust. Learn more from our Knowledge Center

By: Maria Moynihan In less than a year, my information has been compromised twice by a data breach.  The companies involved varied significantly by way of size and type, yet both reacted expeditiously to inform me of the incident.  As much as I appreciated the quick response and notification, I couldn’t help but wonder how well prepared we all are to handle these types of incidents within our own organizations. I recently read somewhere that data breaches are to be expected – like death and taxes. Can this be true? A recent Ponemon Institute Study, 2013 Cost of a Data Breach, highlighted alarming statistics around the typical impact a breach has on an organization. With costs amounting to approximately $5.4M and impact to brands ranging anywhere from $184M to $330M in losses, organizations cannot afford to pass breaches off as inevitable. Organizations must tighten their security standards, understand the evolving data breach environment and ensure their response plans are continuously enhanced to address emerging issues. To better understand what may lie ahead, Experian has developed six key predictions for how concerns about data breaches will evolve: 1.  Data breach cost will be down – but still impactful The cost per record of a data breach will continue to decline, however security incidents and other breaches may still cause significant business disruption if not properly managed. 2.  Will the Cloud and Big Data = Big International Breaches? With the rise of the cloud, data is now moving seamlessly across borders making the potential for complex, international breaches more possible. 3.  Healthcare Breaches: Opening the Floodgates With the addition of the Healthcare Insurance Exchanges, millions of individuals will be introduced into the healthcare system and as a result, will increase the vulnerability of the already susceptible healthcare industry. 4.  A Surge in Adoption of Cyber Insurance Many companies will look beyond investing in technology to protect against attacks and towards the insurance market to manage financial ramifications of breaches. 5.  Breach Fatigue – Rise in Consumer Fraud? As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grow, they may become apathetic towards the subject, thereby exposing themselves to greater risk. 6.  Beyond the Regulatory Check Box State regulators and law enforcement will turn a new leaf this year, devoting significant attention to helping organizations better manage breaches. What is your organization doing to improve its data breach preparedness plan? Check out our 2014 Data Breach Industry Forecast and guide to handling data breach response. Check out other related content on data breach resolution.

The growing cost and number of data breaches has spurred more interest in cyber insurance. While companies often increase investments in technology and training programs to reduce the likelihood of a breach, a recent Ponemon Institute survey of risk-management professionals found that 31 percent of companies surveyed have cyber insurance and 39 percent plan to purchase cyber insurance in the future. Learn how to outline your response plan with our data breach response guide. Source: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age