2017 brought some of the most damaging cyber-attacks and volume driven data breaches the world has ever seen. From WannaCry to NotPetya, Equifax to Uber, the use of ransomware, exploiting software vulnerabilities, and social engineering techniques have reigned supreme for cybersecurity adversaries. Despite the record number of disclosed data breaches and accompanying PII running into the billions, a new study by Tenable finds that organizations and consumers are not taking the basic steps to protect themselves from attacks. In fact, the study revealed that only 12% of Americans believe their PII had been compromised which sits on the polar opposite spectrum of what the actual data supports. This lack of awareness and overconfidence in security will set the stage for the tsunami of cyber-related crime that will occur in the year to come.
You are on the List
Organizations of all sizes and individuals from all economic backgrounds are at significant risk in 2018. Much more so than any prior year leading up to this point. An unprecedented number of records and personal information have been exposed and collected on each and every one of us. Every single person who plays the role of consumer, medical patient, income tax filer, and employee are all vulnerable. We are prime targets for those who have amassed an incredible treasure trove of PII and PHI as sitting ducks when they are ready and able to get around to us one by one. It is a numbers game and if you have been unscathed up to this point, consider yourself fortunate. Just understand that you are on a list and someone or something, somewhere is making its way to you. That something is likely an automated program or AI that can sort through, itemize, and efficiently organize large sets of data into full identity profiles.
Taking just four of the numerous data breaches disclosed in 2017 alone would provide more than enough information for someone other than you to take out a loan in your name, file a tax return, and phish their way into your employer. Equifax, Deep Root Analytics, Uber, and Alteryx exposed a combined total of more than 500 million data points on individuals in the United States. The US has a population of roughly 326 million people for perspective. Data including social security numbers, email address, names, birth date, physical address, voter registration details, home and auto ownership, family finances, and demographic information have all been exposed and this is all before we get to major data breaches involving payment cards, healthcare information, and our own oversharing on social media platforms. More than 4 billion records were exposed in 2016, with 2017 eclipsing the 7 billion mark. That is nearly one record for every person on earth or close to 2 records for every internet user on the planet.
Anticipate a Wave of Attacks
The year ahead will be filled with a record number of cyber assaults on individuals and organizations alike. A tidal wave of fraudulent tax return attempts, network intrusions across all industry segments including critical infrastructure, payment card fraud, medical identity theft, and falsified loan attempts will be made. Despite what many of the headlines may say these attempts will not require a zero-day exploit or highly sophisticated attack method. These attempts will be carried out with the comprehensive data sets already accumulated from prior breaches and will use your own information against you. Armed with your name, social security number, email address, and demographic data a targeted phishing email can easily be crafted luring even the most seasoned security professional. Many small and mid-sized organizations do not believe they will be a cyber-criminals focus or nation-states target but what they often overlook is the employee who has been swept up in countless other breaches who many introduce ransomware into the corporate network when checking personal email or a social media account on company time or falling prey to a phishing attack from one of the 2.5 million emails being sent every second of the day. When it comes to email traffic some research suggests up to 73% of the volume is spam. The stakes have never been higher for every individual and organization in 2018 but all hope is not lost as long as you approach this threat appropriately.
The Rundown: Organizations
Organizations must employ strong physical, administrative, and technical controls to help prevent, detect, and identify security incidents. This includes regular updates to the software. Create a strong cybersecurity awareness culture through training and education to help employees spot phishing attempts and reduce the risk of unauthorized access. Implement formal procedures for verifying and challenging wire transfers and W-2 requests. Purchase cyber and privacy insurance as today's innovative companies can bring together both financial risk transfer and cyber security solutions to strengthen any organizations posture. Create an incident response plan as well as an internet usage policy for employees.
The Rundown: Individuals
Assume your information has been compromised because it has been. Place a security freeze with each of the four credit bureaus (Equifax, TransUnion, Experian, Innovis). Implement two-factor authentication wherever possible. Consider using a separate email address exclusively for banking and financial-related activity. Beware of communication (Email, text, calls) creating a sense of urgency or fear tactics. Think twice before clicking on links or opening attachments especially if you did not initiate the communication. File your tax return as soon as possible to reduce your risk of tax fraud. Monitor bank account and credit card statements regularly. Closely inspect your medical explanation of benefits to ensure the accuracy of services rendered.
About David Derigiotis
David Derigiotis is Corporate Vice President and Professional Liability Practice Leader with an international wholesale insurance broker, Burns & Wilcox. David has consulted to the U.S. Department of the Treasury during a public-private sector cyber panel in Washington D.C. and has participated in research studies conducted by the Organization for Economic Co-operation and Development (OECD) surrounding the cyber insurance marketplace.