Last year, Forrester Research stated that 2017 would likely bring the major failure of a Fortune 1000 company in responding to a data breach. While 2017 saw notable breaches for Equifax, Verizon and Kmart, among many others, it does not appear that this trend will slow down any time soon due in large part to the perfect storm of seemingly limitless potential for ill-gotten gains from cyber criminals, the human error element of cybersecurity and increasing rigorous regulatory obligations for organizations suffering a cyber-attack.
And, while, according to the Ponemon Institute, the average cost of a data breach is down 10 percent over previous years to $3.62 million, the average size of a data breach increased nearly two percent, some organizations still have much work to do to inform their preparedness and response strategies.
Here’s what we can expect in 2018:
Large-scale ransomware attacks, including WannaCry and NotPetya, impacted businesses in various industries across the globe on an unprecedented level in 2017. According to security experts, cybercriminals specializing in ransomware acquired about $1 billion last year, based on money coming into ransomware-related Bitcoin wallets. The WannaCry attack in particular highlighted the vulnerability of healthcare organizations, as many U.K. and U.S. hospitals were forced to shut down due to the incident.
As the number of Internet-of-Things devices continues to grow, they will be a prime target for cybercriminals looking to gain access to the devices, the systems that connect them and the data transmitted between both. For healthcare companies, an IoT hack could risk the exposure of patients’ personal health information (PHI), or, more alarmingly, allow for unauthorized access to medical devices.
The EU General Data Protection Regulation (GDPR) becomes enforceable by law in May 2018, which will require multi-national organizations to adhere to new requirements regarding how data is processed and protected, and how incidents are reported. For example, organizations will have less than 72 hours (!) to notify and the financial cost is significant: fines of up to 20 million euros or 4 percent of the total worldwide annual turnover of the preceding financial year. On a parallel path, in the U.S., the SEC has also indicated that it will likely soon update data security incident reporting guidelines for companies.
Incidents like the Equifax (impacting 143 million people) and Yahoo! (impacting 3 billion users) breaches that have exposed large amounts of data have made it easier for cybercriminals to subsequently create mass spear-phishing campaigns that are highly effective and detailed. In the aftermath of significant breaches, expect sophisticated hacking groups to use multi-vector social engineering techniques that combine traditional phishing emails with smishing (texting) and vishing (phone calls).
As tensions between liberal democracies like the U.S., and autocratic states continue to rise, so too will sophisticated cyberattacks orchestrated by foreign governments and hacking groups like Russia’s Fancy Bear. Many of these attacks are political in nature – they target businesses in order to gain access to large swaths of their consumers’ PHI or personally identifiable information (PII), and this data is ultimately used to understand or influence events such as elections. Other attacks are financially motivated, as criminal hacking groups like North Korea’s “Dark Overlord” are holding company-held data for ransom and contacting media directly in order to pressure their victims to pay the requested monetary amount.
Significant data breaches, coupled with the various cyber tools Russia used to influence the 2016 Presidential election, have put data security firmly on the radar of U.S. Congress. Tense Congressional hearings that forced executives at Equifax, Yahoo!, Facebook, Google and Twitter to answer tough questions about their data security protocols may have signaled a willingness for Congress to take a more active role in addressing how companies protect the data they hold and the systems they maintain. There is also a growing tension between federal and state legislators on how to address cybersecurity incidents; while U.S. Congress has greater power to pass legislation, state attorneys general can move much faster in conducting investigations and filing lawsuits, and many consider data breaches to be under their purview of consumer protection and potential fodder for political posturing.
2018 will likely be the first year when we will see a significant attack on U.S. critical infrastructure. In October, the FBI and Department of Human Services (DHS) warned of advanced persistent threat activity targeting energy, nuclear, water, aviation, construction and critical manufacturing sectors. Critical infrastructure companies are behind in preparing their operational facilities to confront cyberattacks, but it will be one of the main security vulnerability assessment concerns of 2018 for the industry.
But it’s not all bad—here are three immediate steps that an organization can easily take to mitigate these risks:
Andrew Liuzzi is executive vice president, crisis and Risk, Chicago.
Jamie Singer is vice president, crisis and Risk, Chicago.