Formulating an Effective Data Breach Strategy and Plan of Action

Data Breach

Even in the aftermath of the high-profile data breaches at Target, Neiman Marcus, and Michaels earlier this year, many businesses are not yet responding to the wakeup call that these massive breaches have sounded. Data breaches are unexpected, unplanned, and often, occur too quickly for a company to prevent, but the existence an effective strategy and formal data breach plan will prepare a company for the day when such a breach may very well threaten the organizations ability to survive the experience. Being overconfident that such an incident isn’t going to happen is simply foolish.

“There are more organizations this year with pre-breach response plans in place,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “But at the same time, there are many retailers, manufacturers and small businesses that are lagging behind.” Among the reasons why some organizations don’t have even the basics of a plan in place, Bruemmer says, is because they lack the resources or aren’t aware of regulatory requirements for risk assessments and breach notification.

Throughout the world, companies are finding that data breaches have become very common and far more expensive to survive than expected. With the exception of Germany, companies are spending more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars, The research also reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. The report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover in the aftermath of a data breach

Security experts say the basic components of an effective breach response strategy include:

  • Creating a competent response team.
  • Devising a well-documented strategy that covers discovery, forensics, response, and notification and reporting.
  • Implementing effective training; and testing and auditing the plan to continuously improve it.

Also, the plan must be regularly updated as that the business continues to grow in size and complexity, Factors like; new business partners, data sources, technologies and more business units can complicate the data infrastructure adding new requirements to an effective incident response plan.

Another essential component to building a better breach response strategy is involving senior management and the board of directors. After all, mishandling a breach can affect a company’s financial viability. The need for C-level involvement is evident following the Target breach, when the messaging showed a slow recognition by Target’s top management of the messaging and media outlets that must be used to successfully communicate in the wake of an event. While Target eventually used social media and improved its talking points, the delay in getting to that point signaled a lack of preparedness at the top leadership in the Company.

Every business should plan for the unexpected, including a data breach that can hurt the brand, customer confidence, reputation and, ultimately, the business. It is important to develop an incident response plan to help detect an attack before it happens and have procedures in place to minimize or contain the damage. Learning from the experience of others who have made the headlines in the past, is far more desirable than becoming the next headline.

Avoid Becoming Cybercrimes Next “Target”


Cybercrime is on the rise: large-scale fraud attacks, consumer data breaches and politically-motivated Distributed Denial of Service (DDoS) attacks on financial institutions and others are costing businesses billions of dollars every year. Much of this growth stems from the maturation of the criminal digital underground and its ‘’industrial’’ approach to cybercrime. The industrialization of fraud has led to both an increase in large-scale data breaches and an increase in the number and size of high-volume fraud attacks.

The recent rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. Target has announced that CEO Gregg Steinhafel, who is also president and chairman of the board, will step down immediately, in large part, due to the costly cyber-attack.  That makes Steinhafel the highest-profile corporate casualty in a world where data breaches can affect millions of consumers, and cost a company billions in sales and years of customer loyalty. This action clearly advances the responsibility for protecting a company’s data systems up the chain of command.

In the past, banks, retailers and policymakers have been slow to address the growing sophistication of cybercriminals. Only 11 percent of businesses have adopted ­industry-standard security measures, said a recent report by Verizon Enterprise Solutions, and outside experts say even these “best practices” fall short of what’s needed to defeat aggressive hackers lured by the prospect of a multimillion-dollar heist. Experts say that reversing the rise in major data breaches would require expensive upgrades, including the adoption of end-to-end encryption, the walling-off of the most sensitive data on separate networks, and the adoption of newer credit card technology that holds customer information on an embedded chip rather than the familiar black magnetic strip now on most American cards. Credit card chips can communicate with banks in a way that better protects a user’s private information, often requiring a personal identification number to verify a purchase. Such systems are widespread in most of the developed world but are appearing in the United States only gradually

In response to its costly experience, Target will switch its branded credit and debit cards to MasterCard from Visa early next year. The new cards will use a more secure chip-and-PIN technology instead of relying on the current magnetic stripe system and earlier this year, Target said it was speeding up a $100-million initiative to make its stores compatible with the upgraded cards.

But while most of the media attention for failures to secure a company’s data systems tend to be reserved for mega company’s, mid and small businesses are likely to become cyber-criminals next favorite target as the larger firms beef up their security making it more difficult for hackers to intrude.  Developing an effective, dynamic cyber-security strategy is critical for more modest businesses to survive in the digital business environment. Businesses must take some immediate steps to improve their security systems to adjust to an ever-evolving threat landscape:

  • Understand that in the digital world, being able to recognize devices and the relationships between the device and the user, irrespective of the identity they claim to represent, is a key competency.
  • Recognize that in an age of industrialized fraud, evaluating whether the person submitting a request is risky is as important as determining whether the request is typical for the customer. To combat this threat, banks should implement capabilities that include a risk component when evaluating transactions.
  • Implement measures that search for signs of repeated account surveillance or manipulation activities. All forms of mass production introduce repetitive methods and patterns. These patterns offer opportunities to detect the fraud. Instead of looking at transactions in isolation, banks should look for the signs of an automated process.
  • Plan for dealing with spikes in fraud alerts. Automated processes allow an attacker to ramp up their volumes exponentially. Those responsible for fraud detection need to consider how their manual processes would fare against an attack that involves tens of thousands of events within a few hours.
  • Improve situational awareness to correlate events across lines of business and channels to detect offending devices.

Cybercrime cost U.S. companies an average of $11.5 million in 2012, according to a study by the Ponemon Institute, up 26 percent compared with the previous year. The effect on victim businesses and consumers alike can last for years as companies struggle to recover from breaches of proprietary data and increasing numbers of consumers are left vulnerable to bogus charges and potential identity theft. A proactive strategy to cyber-security is imperative for businesses to avoid becoming the next cybercriminals “Target”.

Preparing for the Changed World of Employment


Employed Not Unemployed Sticky NoteThe recent headline figures from the Bureau of Labor Statistics’ monthly jobs report are surprisingly optimistic, with the agency reporting that nonfarm payroll employment rose by 288,000, beating expectations of 210,000 to 220,000 new jobs and pushing the unemployment rate down 0.4% to a five-and-a-half-year low of 6.3%. But beneath those shiny surface numbers, there’s an ugly trend afoot: Fewer Americans are hunting for jobs. There was hope that by now that Americans who had previously been discouraged by poor job prospects would find renewed optimism. That hope has been dashed by recent jobs reports, which revealed that the labor force declined by 806,000 people, or 0.4%. The labor force participation rate was 62.8% last month, matching a three-decade low.

The statistics clearly indicate that more unemployed Americans are pessimistic about their job prospects and are questioning why it is taking so long to experience a meaningful job market recovery. The problem is affecting high school and college graduates, looking for their first full-time job or career opportunity, as well as the downsized veteran employees. Some of the reasons for the lack of opportunity may rest with the fact that many of those who were victims of the economic slow-down and the advancing technological evolution, as well as many of the younger workers just entering the job market, are not equipped with the specific job skills and experience to qualify for many of the new job openings. Some industries are failing to meet their employment needs by large margins even while many qualified jobless are sitting on the sidelines. Connecting the jobless with employment opportunities is becoming a two way street.  Companies need to help prospective employees understand how their skills and experience can fit into the respective industries. It’s up to employers to get the word out about what they need and convey that talent and good work ethics need not come with specific industry experience.

But some of the fault for such a large numbers of bench sitters lies with the job seekers themselves. In the past, economic downturns were much more shallow and recovery much more intense. Finding a new job after losing one was easier with the jobless successfully rehired before the first term of unemployment benefits ran out, not so this time around. Here are a few job searching techniques that are indicative of the new job market reality for new graduates or veterans.

  • Develop a long term mentality.  Job seekers aren’t mentally prepared for the long-haul journey that is a job search in today’s market. Establish realistic expectations into how long a job search can last, the average is 22 weeks, so if the job isn’t captured by the end of the first week or month, don’t panic.
  • To be successful, candidates need to construct a detailed, multi-faceted project plan that will take them from where they are, to where they want to be in the new world of employment. The process is not transactional, it’s a marketing process.
  • In this highly competitive employment market the job search is all about marketing.  It begins with understanding the “product;” what the prospect has to offer, who will want it, how to add value and then present it effectively to someone who has a need that the product will fill.
  • One of the biggest misconceptions the jobless have about the job search is that it’s about finding work they want and love to do.  But job seekers need to understand what it’s like to be an employer, and what that employer is looking for in an employee. Central to the entire job search strategy is for the job seeker’s to present themselves as someone who is capable of helping an employer solve his or her business problems.

Most importantly, don’t be fooled into believing that the economy and a robust job market are just around the corner. Kicking back and waiting for the next job to land on your jobless door step will bring about some serious disappointment.  Many, if not most, of yesterday’s lost jobs and careers are likely gone forever, altered forever by a new world economy and rapidly advancing technology. Preparing and adapting to the new employment reality is vital to getting off the sidelines and back into the game.

Cyber Attacks Threaten All Types and Sizes of Organizations

Attack on Old Typewriter's Keys

The just-released Verizon 2014 Data Breach Investigations Report (DBIR), compiling data from 50 different global contributors, found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry. While the cybersecurity threat landscape is complex, organizations of all types can apply advanced security analytics to mitigate and manage the potential impacts of cyber threats. The DBIR report indicates a drastic change in the types of attacks that are threatening an organization’s intellectual property, financial information and customer data and provides specific steps an organization can take to combat the threats that are unique to their industry and their organization, whether they are in financial services, public sector, manufacturing, retail or any other industries.

This year’s report has added a critical new tactic for addressing how this advanced threat landscape affects an organization by examining incident patterns. As attackers shift their strategies, the cyber defense industry is too, now moving away from a model built around identifying and remediating single attacks toward an environment where threat actors and their behaviors are identified and blocked globally. As the world becomes more digitized, the opportunity for cyber-attacks is increasing and many of these attacks are becoming more sophisticated. The ability to defend against cyber-threats is now top of mind for most organizations and has them rethinking their traditional approaches to cybersecurity management.

According to Eddie Schwartz, vice president of global cybersecurity and consulting solutions at Verizon Enterprise Solutions, “With it, comes the need for more sophisticated cybersecurity programs that quite frankly are exceeding both the availability of human capital around the world and the capability of any one enterprise to execute alone.” To fill this gap, enterprises are looking to develop and execute hybrid cybersecurity-management models that combine an agile staff of in-house security-minded business experts with trusted managed security services across a broad range of capabilities such as identity management, security analytics and cyber intelligence, governance, risk and compliance. “Finding a trusted provider is critically important,” says Schwartz. Keeping up with the latest in cyber intelligence can be challenging for even the most seasoned professional.

Cyber-attacks on large corporations or governmental agencies may grab the big headlines, but in recent years cyber criminals have shifted their focus toward small and mid-sized businesses. Statistics reported by the Symantec Internet Security Threat Report 2013, revealed that companies with fewer than 250 employees were the focus of 31% of all cyber-attacks. Smaller businesses often are easy targets for cyber thieves because of weak or perhaps even nonexistent security measures. These types of businesses typically don’t have a dedicated risk management professional, much less a risk management team.

It’s important to protect against hackers and intruders on four primary stages: the system level, the network perimeter, the cloud interface and mobile devices. On the system level, encryption and human interface devices (HIDs) can be used to provide fundamental security. For the network perimeter, businesses should consider using firewalls, malware filters, data leak prevention and spam filters. For the cloud and mobile level, also consider firewalls, malware filters, and include DDoS mitigation and anti-spyware technologies.

It is important to act before a breach occurs.  Cyber-crime has cost small businesses more than $22 billion so far in 2014.