Last year, Forrester Research stated that 2017 would likely bring the major failure of a Fortune 1000 company in responding to a data breach. While 2017 saw notable breaches for Equifax, Verizon and Kmart, among many others, it does not appear that this trend will slow down any time soon due in large part to the perfect storm of seemingly limitless potential for ill-gotten gains from cyber criminals, the human error element of cybersecurity and increasing rigorous regulatory obligations for organizations suffering a cyber-attack.
And, while, according to the Ponemon Institute, the average cost of a data breach is down 10 percent over previous years to $3.62 million, the average size of a data breach increased nearly two percent, some organizations still have much work to do to inform their preparedness and response strategies.
Here’s what we can expect in 2018:
- Ransomware Attacks Continue to Pose Serious Threat
Large-scale ransomware attacks, including WannaCry and NotPetya, impacted businesses in various industries across the globe on an unprecedented level in 2017. According to security experts, cybercriminals specializing in ransomware acquired about $1 billion last year, based on money coming into ransomware-related Bitcoin wallets. The WannaCry attack in particular highlighted the vulnerability of healthcare organizations, as many U.K. and U.S. hospitals were forced to shut down due to the incident.
- Increased Risk to IoT Devices & Systems
As the number of Internet-of-Things devices continues to grow, they will be a prime target for cybercriminals looking to gain access to the devices, the systems that connect them and the data transmitted between both. For healthcare companies, an IoT hack could risk the exposure of patients’ personal health information (PHI), or, more alarmingly, allow for unauthorized access to medical devices.
- Shift in the Regulatory Landscape
The EU General Data Protection Regulation (GDPR) becomes enforceable by law in May 2018, which will require multi-national organizations to adhere to new requirements regarding how data is processed and protected, and how incidents are reported. For example, organizations will have less than 72 hours (!) to notify and the financial cost is significant: fines of up to 20 million euros or 4 percent of the total worldwide annual turnover of the preceding financial year. On a parallel path, in the U.S., the SEC has also indicated that it will likely soon update data security incident reporting guidelines for companies.
- Large Scale Breaches Unfold in Two Waves
Incidents like the Equifax (impacting 143 million people) and Yahoo! (impacting 3 billion users) breaches that have exposed large amounts of data have made it easier for cybercriminals to subsequently create mass spear-phishing campaigns that are highly effective and detailed. In the aftermath of significant breaches, expect sophisticated hacking groups to use multi-vector social engineering techniques that combine traditional phishing emails with smishing (texting) and vishing (phone calls).
- Rise in Nation-State Attacks
As tensions between liberal democracies like the U.S., and autocratic states continue to rise, so too will sophisticated cyberattacks orchestrated by foreign governments and hacking groups like Russia’s Fancy Bear. Many of these attacks are political in nature – they target businesses in order to gain access to large swaths of their consumers’ PHI or personally identifiable information (PII), and this data is ultimately used to understand or influence events such as elections. Other attacks are financially motivated, as criminal hacking groups like North Korea’s “Dark Overlord” are holding company-held data for ransom and contacting media directly in order to pressure their victims to pay the requested monetary amount.
- U.S. Congress Involvement
Significant data breaches, coupled with the various cyber tools Russia used to influence the 2016 Presidential election, have put data security firmly on the radar of U.S. Congress. Tense Congressional hearings that forced executives at Equifax, Yahoo!, Facebook, Google and Twitter to answer tough questions about their data security protocols may have signaled a willingness for Congress to take a more active role in addressing how companies protect the data they hold and the systems they maintain. There is also a growing tension between federal and state legislators on how to address cybersecurity incidents; while U.S. Congress has greater power to pass legislation, state attorneys general can move much faster in conducting investigations and filing lawsuits, and many consider data breaches to be under their purview of consumer protection and potential fodder for political posturing.
- Critical Infrastructure as a Growing Target
2018 will likely be the first year when we will see a significant attack on U.S. critical infrastructure. In October, the FBI and Department of Human Services (DHS) warned of advanced persistent threat activity targeting energy, nuclear, water, aviation, construction and critical manufacturing sectors. Critical infrastructure companies are behind in preparing their operational facilities to confront cyberattacks, but it will be one of the main security vulnerability assessment concerns of 2018 for the industry.
But it’s not all bad—here are three immediate steps that an organization can easily take to mitigate these risks:
- Do Your Homework: Recognize that, now more than ever, communications (and, in kind, brand reputation) is at the center of a cyber response strategy, so take the time now while the water is calm to get smart on the role and expectations of communications if you were facing a live event. For example:
- What would you do if Brian Krebs called with knowledge from a source that your company has suffered a breach?
- Do you know if you have cyber insurance coverage that would include communications support?
- Do you know your organization’s new reporting obligations under GDPR or have the team in place if you’re potentially facing 1 million consumers contacting your call center?
- Don’t Get Complacent: Using the above as a guidepost, organizations need to continually review and enhance their incident response plans to address not only those “more common” cyber issues but also take a hard look at challenging topics like ransomware or third-party breaches.
- Build Your Muscle Memory: As George Santayana famously said, “Those who do not remember their past are condemned to repeat their mistakes.” Organizations that do not stress their response strategies until facing a live fire drill will simply not be as prepared as they could be. It’s important that an organization pressure test even the best-laid incident response plans through tabletop exercises and crisis simulations that look at managing a number of varying risks (reputation, legal, IT) through an escalating scenario.
Andrew Liuzzi is executive vice president, crisis and Risk, Chicago.
Jamie Singer is vice president, crisis and Risk, Chicago.