The Changing Risk Climate: Why Size Doesn’t Matter

Even a decade ago, no one would have predicted the magnitude of data breaches that has become commonplace today. In 2008, the Heartland Payment Systems breach exposed information from 130 million credit card holders; in 2011, personal information from 78 million Sony PlayStation users was breached^[1]; last year’s Target breach affected as many as 110 million customers; February 2015’s Anthem Healthcare breach may have affected up to 80 million customers; and the list goes on. The causes of big breaches are numerous: big data and information integration provide a larger attack surface, and criminals are becoming more adept at acquiring and exploiting personal information. But mind-boggling as the numbers are, security professionals, from CISOs and breach response managers to cyber-insurance carriers need to keep in mind that size is not the only factor that determines the potential impact and cost of a data breach. New threat actors and new agendas are changing the risk climate and complicating the tasks of breach prevention and response.

The New Cyber-criminals

A decade ago, data breaches rarely made national headlines, and the most common causes tended to be a lost laptop, insider theft, or small-time criminals stealing records with the intent to commit financial fraud. Now breaches make headlines almost weekly, and the stories show a whole new cast of threat actors turning to cyber-attacks to achieve more complex ends.

The most recent Sony breach is still believed by many to have been a result of a government-sponsored cyber-attack by North Korea to stop the release of the film “The Interview,” but the damage went far beyond hurting sales from a single film. The hackers released multiple films to file-sharing sites, impacting revenues from planned 2015 releases. Salaries and damaging emails of top executives, employees’ personal information, and the company’s security certificates, passwords, and other credentials were released on text-sharing sites. The stolen credentials were used to introduce malware and mount DoS attacks that brought down systems and reportedly stopped film shoots because the studio couldn’t process payments. Marketing and other business strategies were posted online, as was personal information from celebrities who worked with the studio. And the news on all of this gave credence to threats of terrorism against theaters planning to release the film.

The Sony breach is a model of many of the new risks surrounding data breach: disruption of business operations; intellectual property theft; public embarrassment; damaged relationships with business partners, clients, and employees. But other breaches in the news reveal additional threats. With the recent Anthem breach, there was speculation that organized cyber-criminals may hold medical records for ransom, demanding payment for not releasing the information online or to other criminal groups. And in healthcare breaches, where lives can literally be at stake, no provider can afford to ignore a threat of compromise to patient medical records.

Sizing Up the Risks

As the risks from data breaches have evolved, responses need to evolve as well. For years, the wisdom has been that the biggest breach risks are identity theft from compromised personal information, lost business due to customer defection, and possible regulatory fines if the organization is found to be out of compliance. If the breach was large enough to meet regulatory requirements, the proper response was to report it, provide credit monitoring for the affected customers, and mount a good PR effort.

Today’s breaches present more complex risks. For example, no longer content with credit monitoring, breach victims are now bringing lawsuits and winning. Target just agreed to a $10 million settlement to consumers in a class-action suit resulting from last year’s point-of-sale breach. A group of Sony ex-employees has brought seven federal class action lawsuits and two state court claims blaming the breach of their personal information on negligence. Last year, the West Virginia Supreme Court ruled that health care breach victims have the standing to sue, and the first class-action suit related to the Anthem breach began preparations within hours after the breach was announced, quickly followed by several more. Settlements in even individual medical identity theft cases could run to millions of dollars, enough to put a mid-size provider out of business.

Damage to business relationships is also not a factor of breach or company size. The most recent Sony breach has not set records for the amount of personal information that was compromised, but if leaked phone numbers or terrorist threats weakens relationships with the celebrities and theaters that Sony depends on, the financial damage could rival the biggest breaches of all time. And Brad Pitt (whose phone number is reported to have been breached) would probably not be impressed with an offer of commodity credit monitoring.

Middle-market organizations can have data breach risk exposure that is just as high as Fortune 500 companies when it comes to the value of their data assets and their potential for becoming targets of cyber-criminals. Regional insurer Premera Blue Cross is facing five class-action suits over a May 2014 breach resulting from a cyber-attack. An 18-bed county hospital in Illinois made news in December when hackers threatening to make 12,000-plus patient records public unless the hospital paid a ransom. And in October 2012, the Russian firm Kaspersky discovered that a cyber-attack called “Red October” had been exploiting Microsoft Word and Excel vulnerabilities to steal data from research firms, energy companies, and other infrastructure providers of various sizes since 2007.

Coming Out Fighting

2015 is the beginning of a new era in data breach risk. Corporate employee negligence and for-profit hacking is giving way to offshore organized crime and state-sponsored cyber-terrorism. Cyber-criminals are transitioning from targeting retailers and others where credit and financial information is available to higher-value targets such as healthcare and other industries with vulnerable customers and high-value intellectual property.

Those responsible for privacy and security, from the board and executive level to insurers, need to be better informed and prepared, thinking beyond size to the multi-faceted risks to their organizations, customers, and careers entailed by data breaches.

When risks were primarily a function of breach size, the largest organizations—those holding the most data, and, presumably, those with the biggest response budgets and cyber-insurance policies—tended to be the most likely targets. With new threat actors and agendas, mid-size organizations are becoming targets because of the valuable information they hold. And mid-sized organizations may not have the security resources or insurance coverage of a Target or Sony. Risk assessments and preparation are key to mitigating the impact of future breaches, both for the businesses themselves and for their cyber-insurance providers. As Mark Twain said, “It’s not the size of the dog in the fight, it’s the size of the fight in the dog.” In the new breach landscape, every information stakeholder must be ready to come out fighting.