Security Talk
Michael Bruemmer


Small business doesn’t necessarily mean small data. In fact, according to Michael Bruemmer, vice president at Experian Data Breach Resolution, thieves prefer to target small- to medium­–sized businesses (SMBs) because many lack the resources or expertise to manage cybersecurity. Retailers are especially easy targets for cybercriminals who look to hijack credit card data, but customers aren’t the only victims. Among SMBs that suffer a breach, 60 percent go out of business after six months, he says.

“An organization categorized as a ‘small business,’ may still manage a large amount of confidential data, including customer and employee records,” he says. “It’s critical for these businesses that they take steps to prevent a breach and prepare for the chance that a breach might occur.”

Recognizing that SMBs are often challenged by limited resources, Bruemmer suggests some low-investment approaches to preventing and managing a data breach, including conducting risk assessments; considering cyber insurance, as SMBs generally don’t have a risk manager or IT department dedicated to data security; and engaging experts in legal counsel and resolution consulting to prepare to respond quickly and effectively after a breach, which may mitigate regulatory fines, lawsuits and reputational damage.

Whether your enterprise is small, medium or larger, Bruemmer suggests that international response plans, cyber insurance and “data breach fatigue” will be key factors this year  in the cyber world. Here, he explains.  


Why will International response plans be essential as more data moves to the cloud?

As data moves to the cloud, significant quantities of sensitive information will travel across national borders in the blink of an eye. Yet, while these data flows are global, the data breach laws and cultural norms for responding to an incident are local. Actions are enforced based on where a customer lives rather than where the data is stored. What this means is that companies may need to be prepared to send out notification letters across countries, set up local in-language call centers and determine if identity protection and credit monitoring services for affected parties are appropriate to offer.

You predict that healthcare breaches will increase this year. Is there one particular reason?

The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. While there may be increased awareness in protecting data in this sector, the sheer size of the industry makes it vulnerable to continued breaches. Closing out the year, Americans will spend more than $9,210 per capita on healthcare in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches.


You also predict that a rise in consumer fraud will occur as consumers suffer “data breach fatigue,” and show less interest in protecting themselves against fraud and identity theft.  How can enterprise security executives and CISOs overcome that “data breach fatigue” with customers?

As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grow, it is possible consumers will get tired of hearing about breaches, leading to “data breach fatigue.” This complacency could lead to significantly more harm by causing fewer consumers to recognize the importance of following the instructions in notification letters. We always encourage CSOs to put themselves in the position of a customer affected by a breach. It is important to keep notification letters simple, and answer three basic questions: what happened, why it happened and what steps are needed for the customer to protect themselves following an incident.


How exactly does cyber insurance work? And how can it help to protect a brand once a breach has taken place?

Cyber insurance is part of an overall risk mitigation strategy. According to the Ponemon Institute, a breach in the United States will cost a company anywhere between $5 million and $6 million annually, including the financial toll of reputational damage. The value of brand and reputation could decline as much as 17 to 31 percent. In most cases, a good cyber insurance policy will cover against this loss of revenue, including access to external legal, notification and technical experts needed to help manage an incident. Furthermore, we’re likely to see a growing variety of coverage options for companies in 2014 as more corporate insurance providers enter the market. This will likely include policies geared at different market segments. In particular, the small- and medium-size business (SMB) segment is likely to see new specific policies and outpace the adoption when compared to other sectors. In part, this adoption will be driven from the need for SMBs to manage breaches while not having the in-house expertise or resources to manage the aftermath. Overall, cyber insurance will start to become a must-have for companies.