Learning from 2018 cybersecurity incidents: Perform due diligence
Cybersecurity incidents continued to plague companies in 2018. Experts weigh in on the lessons learned and consumer responses to the largest information security breaches of the year.
With data breaches becoming a daily reality, it's nearly impossible to know which breaches will remain influential or impactful throughout the course of a year. For this cybersecurity roundup, we chose to focus on analyzing Under Armour, Cambridge Analytica-Facebook, Uber and Marriott Hotels as the most powerful 2018 cybersecurity incidents.
Not all information security risks are data breaches, but all data breaches are a security risk. Consumer data breaches can reveal personal information, payment methods or security information about a company, its employees or its users. While breaches can be in security -- such as malware or mainframe hacks -- or the acquisition of data, the cost and impact of a breach continues to skyrocket.
Ponemon Institute's 2018 Cost of a Data Breach study found that the average total cost of data breaches has skyrocketed 6.4% to $3.86 million. Data breaches impact a company's bottom line by affecting consumer trust, but recent breaches have begun to factor in the cost of time between breach and disclosure -- their due diligence and breach response plan.
Due diligence and disclosure
What are concrete ways that companies should ensure data security and reduce breach risk in 2019? Experts recommend due diligence, internal audits and a disclosure procedure, especially as laws like the California Consumer Privacy Act and GDPR begin to go into effect in 2019 and 2020.
One of the massive 2018 cybersecurity incidents was when Marriott/Starwood hotels suffered a massive breach of customer information -- over 327 million records containing addresses, phone numbers, email addresses, arrival and departure information -- early this year and waited nearly two months to disclose. Upon disclosure, Marriott revealed that the breach had impacted users as early as 2014. Though disclosure was performed, Marriott's monitoring process failed to use due diligence to constantly monitor the security framework.
Uber's breach began in 2016, and disclosure, notification and security due diligence didn't begin until 2018. Their previous breach called for an independent privacy officer, but their legal department tracked down hackers and paid them to deny a breach had occurred.
"It was less the breach and more the cover-up that angered everybody. The takeaway from that is that you have to be transparent with your customers if there is a breach," said Paige Boshell, managing member at Privacy Counsel LLC.
Cybersecurity changes so rapidly that you really need to be working with somebody who's got aggregate data on all the other threats across other companies.
Marty PuranikCEO, Atlantic.Net
But what happens when the company acquires another company and inherits a legacy system or outsources? In the event of a breach, who is responsible?
Pinning blame requires digging deep and assigning a cascading level of responsibility, said Vijay Pullur, ThumbSignIn CEO.
"It's really difficult when there are really complex systems in operation. You can only pinpoint the final point where the loss occurred; for example, you can find the place of the information loss. But if you go back and dig deeper, many times it is not even something even in [a company, such as Marriott's control], but rather a networked company," Pullur said.
Security as sales
The Ponemon study also noted that a significant part of calculating the cost of a data breach is factoring in decreased brand reputation and loss of consumer trust; the impact of the breach extends to the loss of current and future customers.
After their recent breach disclosure, Under Armour stocks fell over 3% as users began to delete apps and shy away from the brand name, despite the fact that breach notice happened in just a few days. Experts say that during 2019 cybersecurity, minimal breaches and adequate data breach response plans will become a business differentiator.
"Customers will be far less tolerant in high-quality brands -- buyers have the expectation that they're going to have better security -- like Apple saying, 'We don't sell your customer data; we have a security chip in our new laptops.' They go out of their way to say we take your privacy very seriously," said Marty Puranik, CEO at Atlantic.Net and cybersecurity expert.
If the previous year of data breaches and consumer reaction to them has taught companies anything, it's that 2019 should be about finding a way to build security as a means of bolstering consumer confidence and brand name.
Looking toward 2019
Companies, conferences and programs dedicated to cybersecurity continued to increase in popularity in response to the many 2018 cybersecurity incidents. Experts encourage companies to continue taking an active role in their data security, especially with compliance regulations coming into effect.
"The idea of being a lone ranger trying to protect against all current threats is going to diminish over time," Puranik said.
"The future is going to be firms of data security that look at threat posture and assessment that companies will be able to hire," he added. "Cybersecurity changes so rapidly that you really need to be working with somebody who's got aggregate data on all the other threats across other companies."
