With recent hacks of organizations ranging from Yahoo! to Wendy’s to the U.S. presidential campaigns, cyber-attacks continue to evolve in their frequency, severity and complexity. While 2016 was marked by several high-profile incidents, 2017 promises to present entirely new challenges that will continue to push organizations to enhance both their front-end preparedness measures and response to live cyber-attacks.
Here are five key trends to monitor:
- Distributed Denial-of-Service (DDoS) attacks are increasing in volume and becoming much more sophisticated with the rise of the Internet of Things (IOT) device usage.
In October 2016, we saw a prominent attack against an Internet directory service that knocked dozens of popular websites offline. Although DDoS attacks have historically used large networks of compromised computers — called botnets — to send destructively overwhelming traffic to the sites they target, recent examples have expanded in size and scope. Instead of a computer network, threat actors are now manipulating IoT devices to build the damaging botnet. Unfortunately, IoT devices, which include interconnected products like security cameras or cell phones, are cheaply manufactured and notoriously insecure, which makes them susceptible to compromise.
Companies should ensure that their communications plans account for a significant outage and include a plan for communicating with customers if their website is down.
- Reports suggest that ransomware threats to companies and organizations continue to rise, holding data, intellectual property and critical systems hostage.
Beyond the business decision of whether or not to pay the ransom fee (now routinely paid in untraceable bitcoin, versus unmarked bills in a non-descript briefcase), the reputational risks inherent to both possible approaches warrant careful advance consideration. If an organization pays the ransom, it opens itself up to future attacks and escalating ransom demands. If an organization does not pay, however, it risks tarnished stakeholder trust and jeopardized brand equity by failing to protect its business and/or its customers’ information at all costs.
Companies should go through the process of determining under what circumstances they would and would not pay a ransom. Doing this ahead of time will make decision making in the moment much easier.
- The European Union General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive in 2018 and will lead to a greater degree of breach notification obligations, among other requirements – but industry media coverage suggests that many companies are not prepared.
The General Data Protection Regulation (GDPR) was adopted by the European Parliament in April 2016 and will replace the Data Protection Directive in 2018. Under the GDPR, a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” According to IAPP, this broad definition differs from that of most U.S. state data breach laws and, for communications purposes, creates a new requirement to begin notification processes no later than 72 hours after becoming aware of a personal data breach.
Any company that has data on EU citizens should ensure that they have an established teams in-country who can assist in the notification process. Local representation is critical for managing cultural nuances when notifying customers of an incident.
- Cyber security policy: Nation state attacks likely to escalate.
It’s likely that the United States will take a much more aggressive stance toward responding to cyber attacks. As evidenced from previous attacks on Sony Pictures and many critical infrastructure providers over the past few years, it’s possible that business will be caught in the middle and be the victim of advanced attacks. Further, there will be a continued debate over civil liberties, as well as conflict between law enforcement and technology companies over the circumstances under which the government can force companies to share information about customers and if they will be required to “unlock” or otherwise compromise technology.
All companies should ensure they have a documented strategy and messaging that explains under which circumstances they will provide information to the government.
- Media coverage and industry analysis are reporting that corporate spear phishing attacks are increasing, often around tax season, and are getting even more brazen in nature.
In 2016, more than 55 companies announced they had fallen victim to tailored schemes responsible for stealing W-2 tax records of employees. These ploys come in a variety of forms (e.g., email requests that appear to come from employees or elaborate SMS fraud targeting prepaid debit cards, often used by the government to issue tax refunds). However, the newest rounds of spear phishing attacks being reported target entire companies and organizations by exploiting internal emails and communications from managers and executives.
One effective strategy for mitigating this threat is conducting regular phishing exercises with employees so they are more aware of the threat and potential scams.
Andrew Liuzzi, executive vice president, Crisis & Risk Management, Edelman Chicago.