By ID Assist
As businesses continue to welcome digital transformation with open arms, the challenges they face are increasing. Electronic data is being widely used for daily operations. Small scale organizations are using Big Data for analyzing customer trends and maximizing profits. In this era where data is costlier than oil, growing pools of personal and financial information are being shared and stored online. These growing numbers have also directed the eyeballs of cybercriminals towards financial institutions and individuals, with an intent of data breach and identity theft.
Data breach and Identity Theft Overview in Numbers
Data breach and identity theft are the major contributors to cybercriminals’ growing pockets. They have continued to evolve and develop new mechanisms to commit financial fraud. A Data Breach Report from Risk Based Security and Identity Fraud Study from Javelin Strategy & Research for 2019 shows a few interesting figures:
- There were 5,183 breaches reported in the first nine months of 2019 exposing 7.9 billion records.
- Compared to Q3 2018, the total number of breaches was up 33.3% and the total number of records exposed more than doubled, up 112%.
- 70 percent of data breaches happen against companies with fewer than 100 employees.
- The cost of a data breach has risen 12% over the past 5 years to US$3.92 million per incident on average.
- Healthcare sector was the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging US$6.45 million.
- In Q3 alone, six breaches exposed 100 million or more records, accounting for 3.1 billion records exposed between July 1 and September 30, 2019.
- Identity theft numbers have fallen from 16.7 million in 2017 to 14.4 million in 2018.
- However, the same study revealed that the identity fraud costs for the victims has nearly doubled to US$1.7 billion in 2018 as compared to 2016.
- Mobile phone account takeovers are major contributors to the rising identity theft numbers. Reason – these takeovers have nearly doubled to 680,000 victims in 2018, compared to 380,000 in 2017. Having a hostile mobile phone account takeover empowers users to bypass two (2FA) and multi-factor (MFA) authentication techniques.
- Good news – The study shows that using embedded chip cards is helping to keep attackers at bay for card frauds. It has shown the steepest decline as compared to other fraud types in 2018, with losses recorded at US$14.7 billion in 2018, down from US$16.8 billion in 2017.
Personal information is not just valuable to hackers because they gain access to an individual’s financials through Identity theft, but also because every record holds a price tag on the dark web. These records are sold on a scale of a few dollars per credit card details to a few thousand dollars for medical records. Due to the kind of money involved and personal privacy at stake, nations around the globe are now taking data breaches rather seriously and Canada is not far behind.
The Personal Information Protection of Electronic Documents Act (PIPEDA) has undergone some changes with effect from November 1, 2018 and has significantly impacted the compliance requirements and data breach reporting of Canadian businesses. Since the implementation of the improved PIPEDA version, the Office of the Privacy Commissioner of Canada (OPC) has seen reporting of 446 data breaches between November 2018 and June 2019, which has affected around 19 million Canadians. This is a drastic rise of nearly six times in the number of reports received during the same period of November 2017 and June 2018.
Of the 446 breaches reported to the OPC,
- 59 percent reported the reason as hacking mainly due to “internal bad actors”.
- 22 percent were from accidental disclosures, such as information being sent to the wrong person or being left behind.
- 13 percent of reports accounted for the physical loss of data. This includes and is not limited to USB drive, corrupt hard drives and even paper files.
- 6 percent of the breaches were due to physical theft of things like computers, drives or paper files.
There are a number of steps that an organization can take to mitigate and manage data breaches.
Best practices to mitigate data breach risks
- Training & awareness: The most important and often overlooked entity is employee training. As the above data suggests, most breaches occur due to internal bad actors. Thus, spreading awareness across various levels of the organization is of utmost importance.
- Vulnerability assessment: Find loopholes and secure IT infrastructure/architecture. Regular IT audits, vulnerability assessment of entire system architecture and patching the identified threats should be carried out thoroughly and regularly.
- Budget allocation: Include cybersecurity in your company’s annual budget for allocating and hiring the necessary resources.
- Outsource cybersecurity: So that unforeseen security risks are mitigated, and data breach response is handled by respective domain experts. This reduces the risk of future attacks as well.
Managing a Data Breach
We can take adequate measures and follow best practices, however being 100 percent secure is a “Myth.” Even the heavyweight corporates such as Capital One, Marriot, and Desjardins (we will elaborate more on the Desjardins data breach later) have not been spared from data breaches and identity theft scares after pouring in millions in cybersecurity. What businesses of today need to be ready with is a solid plan of action after the data breach security and prevention measures have failed.
So how do we manage a data breach and minimize the damages? We can divide it into 7 steps:
- Don’t Panic: Pressing the panic button often leads to chaos. Instead, sit back, assess the damages. Be sincere and admit your company’s mistakes and shoulder responsibility.
- Communicate: Inform both your internal stakeholders (employees, managers, PR team, etc.) and external stakeholders (clients, end-users, press and media).
- Provide details: After conducting cyber forensics, provide accurate data breach details to all stakeholders. Explain what went wrong.
- Provide solutions: Designate a team to provide solutions for affected users. Guide them through and provide them solution from the ongoing problem.
- Provide monitoring services: Your customers are already troubled and tensed, but a helping hand in times of crisis helps regain their trust in your company. As a value add and confidence-building measure give them an offer that they can’t resist. Along with 24/7 assistance provide users secure solutions such as identity protection and credit monitoring for free.
- Train and educate: The biggest mistake that company’s often make is they neglect the fact that this can happen again. Train your employees and explain how to prevent similar issues in the future.
- Discuss: Involve everyone, your C-suite, clients, experts, analysts, media and general public. You never know who might just end up giving you a million-dollar solution.
As mentioned earlier let’s consider the Desjardins data breach and its incidence response. It is one of the prime examples of how an incidence response can be handled efficiently. They ticked off almost all the boxes of data breach management. Have a look:
- Maintained transparency (with internal and external stakeholders)
- Went public (Reported it to the OPC and gave a press release)
- Provided unconditional support to government authorities and its customers
- Found the root cause of data breach (breach took place due to an internal employee)
- Got it fixed (Fired the employee and notified OPC about it).
- With new findings, Desjardins updated the data breach records number and kept OPC and press in the loop (number of records stolen went from 2.9 million to 4.2 million)
- Provided credit monitoring to all members who do banking with Desjardins, current and past — an estimated 8 million people across Canada.
Executing such a systematic incidence response plan not only shows transparency of processes to your clients but also reinstates their trust in your company, which is the basis of PIPEDA. As we have already seen: The question isn’t about if your data will be compromised. The question is when? So, what should you look for in a solution?
A solution like ID Assist has all the features to protect your company from identity theft and data breaches.
What is ID Assist?
ID Assist is the 911 for data breaches. It’s a turnkey solution that can be deployed immediately to limit the damage for your customers―and brand― in the event of a crisis. Canada has two primary credit reporting agencies — Equifax® and TransUnion® who record information received from creditors. A single lender may use one or both credit reporting bureaus to check your customers’ creditworthiness. Thus, ID Assist holds the upper hand over here as it provides dual bureau credit monitoring to its customers. It also acts as an early warning system that alerts the customers and helps limit the damages caused by identity theft and financial fraud.
At times just monitoring is not enough and if your identity has already been stolen then ID Assist will still be there for you. How? It provides full expert restoration assistance to all its customers along with a certain degree of legal assistance through a limited power of attorney. This means all your bases are covered and you may now heave a sigh of relief!
From the above narrative, we can conclude that data breach and identity theft can affect all types of businesses and individuals whose data is shared or stored online. It means that having a data breach prevention plan for defense and an incident response plan as an offense to such attacks is no longer an option; it’s a must-have and unique service providers such as ID Assist perfectly fit the bill for being an integral part of this plan. Frequent security assessments, IT audits, patch fixes and having a set of fixed guidelines in the form of an incidence response plan helps in minimizing loss of data and more importantly, your clients’ trust.
Start your breach readiness plan today – make sure your organization is ready with ID Assist.