Four data breach predictions for the upcoming year
The threat of data breaches isn't going away, and the threat landscape is constantly evolving, influenced by social, political and industry-specific factors.
2015 had several significant data breaches, both within healthcare and in other industries. The cyberattack on Indianapolis-based Anthem, reported in February, is the biggest healthcare data breach to date, affecting 78.8 million individuals. Additionally, the Office of Personnel Management reported a cyberattack which compromised the data of nearly 4 million government workers.
More data breaches — healthcare and otherwise — are to be expected next year and in years to come. While they're not preventable, evidence-based predictions may help organizations prepare.
Information services group Experian recently released its third annual Data Breach Industry Forecast whitepaper, offering predictions of the future threat landscape. Michael Bruemmer, vice president of Experian Data Breach Resolution, says the number of data breaches Experian has serviced has increased between 15 and 18 percent each year over the last three years. What's more, 46 percent of incidences Experian has serviced are in the healthcare industry.
Prediction 1: Healthcare continues to be targeted
That high percentage is unlikely to change, according to one of Experian's predictions for 2016. "Healthcare is going to still be a prime target for fraudsters," Mr. Bruemmer says.
As the value of a health record rises (a Reuters report found medical information is 10 times more valuable than a credit card number), the market for stolen records also grows.
Mr. Bruemmer says sophisticated attackers will likely continue to focus on insurers and large hospital networks where there is the largest payoff possible, but breaches of smaller organizations will cause the most damage as they have the most to lose. While big players and expansive health systems are often targeted because they store so much data and one hacking scheme can provide hackers millions of data points, smaller organizations may be easier to infiltrate due to less preparation and investment in cyberdefense practices.
"It's easier for hackers to go after places where there's a large compilation or concentration of data, like the big healthcare providers. But at the same time, [hackers] are looking for the easiest way in," Mr. Bruemmer says. "The small guys are still at risk, and they have the most to lose because they're not as prepared."
Prediction 2: State-sponsored attacks will increase
Unsurprisingly, healthcare breaches are expected to continue, but the source behind the attacks isn't likely to change. Mr. Bruemmer says tensions between countries may give rise to nation-state cyberattacks. "The cyber conflict that is brewing, particularly between countries like China, Russia and the U.S., is going to leave consumers and businesses as collateral damage," he says.
He points to the OPM attack and the Sony attack from November 2014, both of which are believed to be perpetrated by foreign governments: Investigators believe the OPM attack was orchestrated by the Chinese government, and the U.S. government has alleged North Korea was behind the Sony attack, though skeptics of that accusation remain.
"As nation-sates continue to move their conflicts and espionage efforts to the digital world, we may see more cyberattacks that aim to steal corporate and government secrets or disrupt military operations," Mr. Bruemmer says. "While perpetrators are initially targeting a specific set of data or credentials, they expose personal information from citizens in the process that could be sold on the black market and used for fraudulent activity."
Prediction 3: The presidential campaign will invite cyberattacks
In 2008, the personal email address of former vice presidential candidate and Alaska governor Sarah Palin was hacked. A student allegedly broke into Gov. Palin's email address by answering security questions such as her birthdate and where she met her spouse, and was able to change the password.
"That was just a tip of the iceberg compared to what I think is going to happen in 2016," Mr. Bruemmer says.
This election season's presidential candidates, their campaigns and/or major donor bases will be prime targets for hackers, especially given the rather "outspoken nature" of some of the individuals running, according to Mr. Bruemmer, who says the divisiveness of comments and fractured debates may cause individuals to resort to extremes to minimize the potential of other candidates. He isn't suggesting the campaigns are necessarily going to perpetrate attacks against one another, but perhaps disgruntled citizens or even other nations could play a part in this.
Prediction 4: Hacktivism makes a comeback
Not every data breach is about the money or gathering information for the purposes of committing fraud. Sometimes individuals or hacking groups commit a cyberattack on another person or organization for political and social reasons, or to inflict reputational damage.
For example, the data breach that exposed users of Ashley Madison, a website for individuals seeking extramarital relations, was less about accessing valuable information and more about exposing those who were using the website.
Additionally, a recent ProPublica report found the number and occurrence of small-scale data breaches — those affecting just a handful of individuals — are on the rise. Such breaches could include an individual learning the health status of just one other person and sharing it with others, largely for personal vindication. It is these breaches, the article argues, that cause the most harm; even more so than massive breaches because personally directed attacks can have long-lasting psychological effects on the victim.
What's more, some see hacktivists as being even more dangerous for those trying to defend against breaches.
"Hacktivists are the Russian Roulette," Patrick Peterson, CEO of cybersecurity firm Agari, said in a report by The Hill. "They're the most terrifying for corporations and governments because you can't actually plot who they are or their motivations. One day they try to shame a bank, the next day they try to blackmail Ashley Madison and the next day, they're taking the hoods off the Ku Klux Klan."
So, are we prepared?
No organization is immune to a data breach, but companies can take necessary steps to defend themselves as well as possible. And organizations are doing so with more frequency: In 2014, 73 percent of organizations surveyed by Experian said they had a breach response plan in place, and that increased to 81 percent in 2015.
"That's an improvement, but it still means 19 percent of the organizations in the survey don't have a response plan," he says.
If the above predictions hold true, every company owes it to themselves and their customers to be as adequately prepared as possible.
More articles on data breaches:
Belgrade Regional Health Center notifies patients of mailing error, data breach
How Bank of America is prepping for a data breach
UW Medicine reaches $750,000 HIPAA settlement for 2013 breach