Cyber Security News / Security Talk Column

Updating Cyber Threats on the Radar for 2014

Small business doesn’t necessarily mean small data.

Security Talk
Michael Bruemmer

 

Small business doesn’t necessarily mean small data. In fact, according to Michael Bruemmer, vice president at Experian Data Breach Resolution, thieves prefer to target small- to medium­–sized businesses (SMBs) because many lack the resources or expertise to manage cybersecurity. Retailers are especially easy targets for cybercriminals who look to hijack credit card data, but customers aren’t the only victims. Among SMBs that suffer a breach, 60 percent go out of business after six months, he says.

“An organization categorized as a ‘small business,’ may still manage a large amount of confidential data, including customer and employee records,” he says. “It’s critical for these businesses that they take steps to prevent a breach and prepare for the chance that a breach might occur.”

Recognizing that SMBs are often challenged by limited resources, Bruemmer suggests some low-investment approaches to preventing and managing a data breach, including conducting risk assessments; considering cyber insurance, as SMBs generally don’t have a risk manager or IT department dedicated to data security; and engaging experts in legal counsel and resolution consulting to prepare to respond quickly and effectively after a breach, which may mitigate regulatory fines, lawsuits and reputational damage.

Whether your enterprise is small, medium or larger, Bruemmer suggests that international response plans, cyber insurance and “data breach fatigue” will be key factors this year  in the cyber world. Here, he explains.  

 

Why will International response plans be essential as more data moves to the cloud?

As data moves to the cloud, significant quantities of sensitive information will travel across national borders in the blink of an eye. Yet, while these data flows are global, the data breach laws and cultural norms for responding to an incident are local. Actions are enforced based on where a customer lives rather than where the data is stored. What this means is that companies may need to be prepared to send out notification letters across countries, set up local in-language call centers and determine if identity protection and credit monitoring services for affected parties are appropriate to offer.
 

You predict that healthcare breaches will increase this year. Is there one particular reason?

The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. While there may be increased awareness in protecting data in this sector, the sheer size of the industry makes it vulnerable to continued breaches. Closing out the year, Americans will spend more than $9,210 per capita on healthcare in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches.

 

You also predict that a rise in consumer fraud will occur as consumers suffer “data breach fatigue,” and show less interest in protecting themselves against fraud and identity theft.  How can enterprise security executives and CISOs overcome that “data breach fatigue” with customers?

As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grow, it is possible consumers will get tired of hearing about breaches, leading to “data breach fatigue.” This complacency could lead to significantly more harm by causing fewer consumers to recognize the importance of following the instructions in notification letters. We always encourage CSOs to put themselves in the position of a customer affected by a breach. It is important to keep notification letters simple, and answer three basic questions: what happened, why it happened and what steps are needed for the customer to protect themselves following an incident.

 

How exactly does cyber insurance work? And how can it help to protect a brand once a breach has taken place?

Cyber insurance is part of an overall risk mitigation strategy. According to the Ponemon Institute, a breach in the United States will cost a company anywhere between $5 million and $6 million annually, including the financial toll of reputational damage. The value of brand and reputation could decline as much as 17 to 31 percent. In most cases, a good cyber insurance policy will cover against this loss of revenue, including access to external legal, notification and technical experts needed to help manage an incident. Furthermore, we’re likely to see a growing variety of coverage options for companies in 2014 as more corporate insurance providers enter the market. This will likely include policies geared at different market segments. In particular, the small- and medium-size business (SMB) segment is likely to see new specific policies and outpace the adoption when compared to other sectors. In part, this adoption will be driven from the need for SMBs to manage breaches while not having the in-house expertise or resources to manage the aftermath. Overall, cyber insurance will start to become a must-have for companies.    

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

August 2014

2014 August

In the August issue of Security Magazine, read about the public-private partnerships and the future of DHS with Frank Taylor, sneak a peek at the ASIS 2014 security products, and read a special report on cyber risk and security. Also in this issue find out why America is in desperate need of a CSO and the most common mistakes in Cyber incident response. The security game has dramatically changed since September 11th, read about what enterprises are doing to keep Americans safe and sound.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+