Cyber Security News / Security Talk Column

Updating Cyber Threats on the Radar for 2014

Small business doesn’t necessarily mean small data.

Security Talk
Michael Bruemmer


Small business doesn’t necessarily mean small data. In fact, according to Michael Bruemmer, vice president at Experian Data Breach Resolution, thieves prefer to target small- to medium­–sized businesses (SMBs) because many lack the resources or expertise to manage cybersecurity. Retailers are especially easy targets for cybercriminals who look to hijack credit card data, but customers aren’t the only victims. Among SMBs that suffer a breach, 60 percent go out of business after six months, he says.

“An organization categorized as a ‘small business,’ may still manage a large amount of confidential data, including customer and employee records,” he says. “It’s critical for these businesses that they take steps to prevent a breach and prepare for the chance that a breach might occur.”

Recognizing that SMBs are often challenged by limited resources, Bruemmer suggests some low-investment approaches to preventing and managing a data breach, including conducting risk assessments; considering cyber insurance, as SMBs generally don’t have a risk manager or IT department dedicated to data security; and engaging experts in legal counsel and resolution consulting to prepare to respond quickly and effectively after a breach, which may mitigate regulatory fines, lawsuits and reputational damage.

Whether your enterprise is small, medium or larger, Bruemmer suggests that international response plans, cyber insurance and “data breach fatigue” will be key factors this year  in the cyber world. Here, he explains.  


Why will International response plans be essential as more data moves to the cloud?

As data moves to the cloud, significant quantities of sensitive information will travel across national borders in the blink of an eye. Yet, while these data flows are global, the data breach laws and cultural norms for responding to an incident are local. Actions are enforced based on where a customer lives rather than where the data is stored. What this means is that companies may need to be prepared to send out notification letters across countries, set up local in-language call centers and determine if identity protection and credit monitoring services for affected parties are appropriate to offer.

You predict that healthcare breaches will increase this year. Is there one particular reason?

The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. While there may be increased awareness in protecting data in this sector, the sheer size of the industry makes it vulnerable to continued breaches. Closing out the year, Americans will spend more than $9,210 per capita on healthcare in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches.


You also predict that a rise in consumer fraud will occur as consumers suffer “data breach fatigue,” and show less interest in protecting themselves against fraud and identity theft.  How can enterprise security executives and CISOs overcome that “data breach fatigue” with customers?

As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grow, it is possible consumers will get tired of hearing about breaches, leading to “data breach fatigue.” This complacency could lead to significantly more harm by causing fewer consumers to recognize the importance of following the instructions in notification letters. We always encourage CSOs to put themselves in the position of a customer affected by a breach. It is important to keep notification letters simple, and answer three basic questions: what happened, why it happened and what steps are needed for the customer to protect themselves following an incident.


How exactly does cyber insurance work? And how can it help to protect a brand once a breach has taken place?

Cyber insurance is part of an overall risk mitigation strategy. According to the Ponemon Institute, a breach in the United States will cost a company anywhere between $5 million and $6 million annually, including the financial toll of reputational damage. The value of brand and reputation could decline as much as 17 to 31 percent. In most cases, a good cyber insurance policy will cover against this loss of revenue, including access to external legal, notification and technical experts needed to help manage an incident. Furthermore, we’re likely to see a growing variety of coverage options for companies in 2014 as more corporate insurance providers enter the market. This will likely include policies geared at different market segments. In particular, the small- and medium-size business (SMB) segment is likely to see new specific policies and outpace the adoption when compared to other sectors. In part, this adoption will be driven from the need for SMBs to manage breaches while not having the in-house expertise or resources to manage the aftermath. Overall, cyber insurance will start to become a must-have for companies.    

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

April 2015 security magazine cover

2015 April

In this April 2015 issue of Security, find out how to keep your enterprise resilient after a disaster in 2015. Also discover how to strike a balance between design basis threats and active shooter threats and see what's in store for the 2015 RSA Conference.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.