The Ugly Aftermath of a Breach- Rivaling Many Natural Disasters

Coauthored by: Carolyn Crandall and Mackenzie Blaisdell Mother Nature can make quite a mess with her natural disasters. They are often harsh, difficult to clean up, and force a community to rethink their defenses. Just like the countless natural disasters the world has witnessed over the past few years, organizations have witnessed massive breaches wreak havoc on their business and their customers, leaving them all too often with an ugly mess to clean up. The perils of natural and cyber disasters share many of the same perils

Much like with a natural disaster, repairing the damage done during a data breach is not an overnight fix and can extend into multi-year endeavors that include painful public relations headlines, costly insurance claims, lengthy ongoing investigations, and the loss of customers from a tarnished brand image. While organizations are attacked on an ongoing basis, many have not yet experienced the impact of a material breach. This blog will outline what an organization can expect to deal with after a data breach and why implementing early threat detection technology into an organization’s security infrastructure is critical for breach prevention.

It is noteworthy to point out that every company that was breached in 2017 had a firewall and deployed anti-virus, some with very robust prevention security controls. The weak link and root cause of the breach… lack of visibility to in-network threats until it was simply too late. On average it takes organizations 99 days from compromise to delivery to detect a threat, which affords attackers ample time to complete their mission.

To change this, it will require a mentality shift
– The goal of your cybersecurity program should focus on eliminating the consequences of a cybersecurity breach – not only on preventing them.
– Operate a compromise-ready organization and be prepared to respond.
– Think about security from the perspective of an attacker and understand that when you close one door, they will enter through the next.
– Understand your risk profiles and build an active defense.

For organizations that don’t shift to a defense built for prevention, detection, and actionable response, the consequences can be dire.

Here are some unfortunate consequences that a breached organization will be forced to address:

Financial Consequences
From impact to company valuation, to loss of sales, and fines, a breach can impact your bottom line. According to research conducted by the Ponemon Institute, there is a 5% drop in average stock price the day that a data breach is announced and an average of $2 to $4 million in revenue losses. The lack of customer trust that inevitably follows a breach also has a major impact on the financial state of a company. Research shows that 31% or more of consumers discontinue a relationship with a corporation after a breach has been announced. Fines can also be staggering as seen by Anthem Inc, providers of Anthem Blue Cross and Blue Shield health insurance, who agreed to settle a class action lawsuit at the tune of $115 million dollars over their 2015 data breach cyber attack. 21st Century Oncology, Inc. (21CO), a provider of cancer care services and radiation oncology, agreed to pay a $2.3 million fine to the HHS after compromising the PHI of over 2 million patients. For large corporations, paying a $2.3 million fine may be feasible, but for a small business, a $2.3 million fine could very well put them out of business.

Legal Repercussions
We are all familiar with the infamous Yahoo data breach of 2014 affecting 500 million users. Unsurprisingly, this breach resulted in the biggest class action lawsuit in history. Only a week after the breach was announced, attorneys filed a negligence lawsuit against the mega tech organization for failing to protect customers’ personal information.

In the weeks and months following a data breach, expect litigation notifications to flood in, initiating a costly process that can take years to close out. In the United States alone, over the past two years, upwards of $370 million was paid in data breach settlements.

Some of the legal ramifications that can result from a data breach include claims such as negligence, breach of contract, fraud, violations of various state consumer protection statutes, and, for financial institutions, a possible violation of the Fair Credit Reporting Act.

Additionally, if it is discovered that an employee of an organization with knowledge of a data breach sells shares prior to disclosure, outside of their predetermined trading plan, they could potentially be faced with an insider trading lawsuit and a law enforcement investigation.

New laws on data breach disclosure are also upping the ante. The Data Security and Breach Notification Act, which was introduced in December 2017, would require companies to report data breaches within 30 days. If an individual knowingly conceals a data breach, they could face up to five years in prison. For context, in the Equifax (EFX) hack, which exposed names, social security numbers, and other private data on more than 145 million people, it took the credit reporting company 41 days to notify the public of the breach.

GDPR regulation states: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55.” “A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The penalty for noncompliance isn’t jail time but hefty fines. GDPR fines (administrative fines) can go up to 20 million Euros or 4 percent of annual global (note global!) turnover, whichever of both is highest.

Investor Backlash
It is becoming increasingly commonplace for investors and shareholders to hold a company’s executives responsible when it comes to cybersecurity matters, particularly data breaches, citing violations of fiduciary duty, waste of corporate assets, and gross mismanagement.

Following the Target breach, shareholders filed a suit against 13 directors and executives, claiming a waste of corporate assets and a breach of fiduciary duty. The lawsuits and merciless complaints taken up by shareholders throw executives into a danger zone, putting their reputation and careers at significant risk.

While the Target suit was dismissed, it was not without hefty legal costs. Attorneys will not likely cease to aggressively pursue legal action to exploit breached organizations. Public frustration from being impacted by breaches will also fuel public contempt and an increased level of aggressiveness as they seek to make these organizations pay a staggering price for “weak” security controls.

Troubles with Law Enforcement
Depending on the severity and nature of the data breach, the information stolen, and the remediation actions taken by the organization, both state and federal law enforcement authorities may look to crack down on negligent organizations.

The Federal Trade Commission will seek to sue if an organization neglects to live up to their stated security standards or just generally fails to provide adequate security. Time and again, we have seen the FTC and the FCC act against a company who fails to protect customer data. In an unprecedented data security enforcement action, in 2014 the Federal Communications Commission (FCC) joined the ranks of federal and state regulators imposing fines for data security breaches, levying a $10 million fine against two telecommunications carriers for storing personally identifiable customer data online without adequate security safeguards. This has set the foundation for additional fines for companies seen as negligent in their data security efforts.

These crackdowns can take many forms and may involve differing government organizations based on the breached organization’s sector. For example, if a company is found to have violated the Health Insurance Portability and Accountability Act, the Department of Health and Human Services will get involved. 2017 started the year with a bang. The first HIPAA Enforcement Fine for lack of timely HIPAA Breach Notification cost Presence Health $475,000. The second 2017 HIPAA Enforcement Fine was for failure to Conduct a HIPAA risk analysis and implement safeguards. This cost MAPFRE Life Insurance Company of Puerto Rico $2,200,000. In the largest HIPAA enforcement settlement to date, federal regulators gave Chicago-based Advocate Health Care a $5.55 million fine after investigating three 2013 breaches.

Have You Been Through a Breach?
The answer to this question tends to have an impact on one’s outlook and approach to security. All too often, those that experienced a breach found that they had become overly reliant on prevention infrastructure, which led to gaps and the ability for an attacker to remain undetected once they had bypassed these controls. In some cases, detection mechanisms were in place, but they were not designed to catch an in-network threat throughout an attack life-cycle or they were so noisy that the alerts went untended to. Analysis of post-breach incidents point repeatedly to the lack of visibility as attackers move laterally, harvest credentials, and deploy shell code that may sit dormant until needed.

It is essential that the cybersecurity infrastructure of organizations continues to evolve, mature, and respond to the increasingly sophisticated tactics and capabilities of cyber-criminals today. Organizations that seek to effectively detect and respond to these modern attackers must have cybersecurity strategies that provide a balance of offensive and defensive security measures. This is only achieved through a shift from prevention-based security controls to more comprehensive and adaptive defense approach that includes early detection and response capabilities.

Whether your organization has been victim to a data breach or you are challenged to answer the question of how well you know what threats are lurking in your network, deception opens the door to a new approach and high-fidelity answer to threat detection. Deception works accurately and efficiently for early detection of in-network threats, regardless of the attack vector. The key here is early detection. Deception does not need time to “get good”, meaning it adds value immediately by providing visibility when other security controls have failed. The Attivo ThreatDefend platform also goes one step further by only alerting upon engagement and by providing the substantiated alert required for actionable incident response and remediation.

Regardless of whether or not you believe your community has the most sophisticated stack of defences to protect against a natural disaster or even a data breach, everyone needs to know quickly and accurately what’s lurking in their environment. Deception is well worth a look for derailing attacks and for providing the counter-intelligence to keep them from successfully coming back again.