A new year means new opportunities – but also new updates to compliance requirements and potential security threats. Here are the top 5 security industry trends for the accounts receivables space in 2016:
1) 2015 State Data Breach Notification Requirements Will Continue to Expand
In 2015, approximately 32 states thus far have considered security breach notification bills or resolutions. As of October 22, 2015, 70 state bills aimed at creating new or amending existing data breach notification laws have been drafted. The numbers so far: 21 failed, 29 are pending, and 20 bills or resolutions were passed.
Most of the legislation aims to amend existing security breach laws to:
- Require entities to report breaches to the appropriate attorney general or another central state agency
- Expand the definition of “personal information” (to include medical, insurance, or biometric data) in cases of a security breach
- Require businesses or government entities to implement security plans or various security measures
- Require educational institutions to notify parents or government entities if a breach occurs
Only three states – Alabama, New Mexico, and South Dakota – do not currently have a law requiring consumer notification of security breaches involving personal information.
Here is a current list of all data breach notification laws.
2) Targeted Social Engineering Attacks Will Increasingly Plague Business
Cybercriminals living in countries with lax enforcement of data security and hacking laws have become more targeted in their attacks on small- and medium-sized businesses. Because of the resounding successes they had in 2014 and 2015, this trend will grow in 2016. For example, a pair of Nigerian hackers used a keylogging tool called Hawkeye to gain illicit access to satellite offices, slowly and silently gather information, and spread their malware to the main offices. Doing so enabled them to re-route legitimate payments for services to their own bank accounts. This type of attack has the potential to affect all businesses, regardless of size or vertical.
By using the social engineering skills gained from years of previous scams, hackers have been able to apply the relatively unsophisticated Hawkeye (which costs less than $50 to buy on the dark net) to steal from unsuspecting businesses around the world – not just from Africa, Europe, and Asia, but also from U.S.-based businesses. Organized crime out of countries such as Russia and Ukraine have far more sophisticated, custom-developed tools with more features than HawkEye to target businesses, and the ability to stay hidden in your network for longer.
3) Ransomware Attacks Will Continue to Evolve
CryptoLocker blasted into cyberspace and onto personal and business computers everywhere in 2013, but this type of malware has been around since 1989 (when viruses were most often spread by the “sneakernet” via floppy disks). They have played a visible role in the ever-escalating arms race between malware authors and anti-virus firms. In August 2014, security firms FireEye and Fox IT somehow stole the decryption keys from the cybercriminals and launched decryptcryptolocker.com, which was used by thousands of victims to decrypt their ransomed files. Eventually, the ransomware evolved and the hackers switched to more sneaky methods of covering their tracks, so FireEye and Fox IT discontinued their now-useless web site.
At TECH LOCK we have seen several ransomware infections in the past year and they all seem to take advantage of two facts at small- and medium-sized businesses:
- A typical employee has access to far more files and file shares than they actually need to perform their daily job duties.
- Data backups are rarely (if ever) tested, and often are not backing up all the files that employees use on a day-to-day basis.
In August of 2015, Symantec released a report called The Evolution of Ransomware, which does a great job describing the history and trends of ransomware. From the Symantec report you can see the dramatic increase of CryptoLocker-type malware over the past few years:
4) Service Provider Due Diligence Will Become Much More Stringent
B2B companies (service providers) already experience Security Questionnaire fatigue – those extremely long Word documents or Excel spreadsheets with a hundred or more yes/no questions asking if a firewall is in place, if there is a security policy in effect, and so on. Years of checking yes to all the boxes has done nothing for the state of data security in the industry, and larger companies (banks, credit unions, creditors, and more) have been required by their regulators to put increased scrutiny on their vendors and service providers. At TECH LOCK, our clients have universally seen a marked increase in the level of scrutiny these companies impose on their service providers in 2014 and 2015.
2016 will see more onsite audits and requirements for independent, third-party data security assessments being required of B2B vendors and service providers than ever before, especially those that deal with consumer data. Unfortunately, this will probably be in addition to those long, drawn-out security questionnaires instead of in lieu of them. We have seen less reliance on generic or subjective audits such as SSAE 16, SOC, and ISO 27000-series audits, and a greater reliance on objective audits with specific, prescribed testing procedures such as PCI DSS and HITRUST. Although these standards deal with specific data elements (credit card data for PCI DSS and healthcare data for HITRUST), larger companies have taken these and incorporated them into their security requirements. Experian’s EI3PA program, for example, takes all the security requirements for credit card data in PCI DSS and instead applies them to Experian-provided data.
5) Savvy Businesses Will Incorporate Data Security More Tightly Into Their Daily Operations
Are there dedicated Information Security staff at your company, or does IT bear the competing burdens of protecting your digital assets while keeping the servers running? Is your data security posture measured continuously throughout the year, or only for the few weeks prior to, during, and after an annual audit? Have you formally assigned responsibility for data security and compliance to a member of senior management who is knowledgeable about information security, or have you saddled your overloaded IT Director or IT Manager with this job? Does Operations work closely with IT and Information Security, or are IT and Information Security seen as the 21st Century equivalent of plumbers and janitors (only called when something needs fixing or cleaning)?
Businesses that have not appropriately aligned and implemented a metrics-based, independent-from-IT, properly managed information security program will fall further behind those businesses that have done so. According to the Verizon 2015 Data Breach Investigations Report, it only took minutes for attackers to break into a company in 60% of data breach investigation cases, and it took days or weeks for those companies to detect the breach. Worse, the trending from 2004 to 2014 (and beyond) seems to be skewing in favor of the attackers – successful breaches are happening quicker, and companies are taking longer to detect them.
Since many of these breaches are taking advantage of the end user via e-mail phishing, social media, and more, the companies without a dedicated, independent and vigilant Information Security group will fare far worse in 2016 than those who do, and they will pay the price for it.
By Todd Langusch