The growing threat of data breaches

While the COVID-19 pandemic may have slowed life down for many people over the past year, for cyber criminals it was mostly business as usual. In 2020, security firm Risk Based Security (RBS) found that while publicly disclosed data breaches did fall by 48%, the volume of records that were compromised jumped by 141%. That represented a total of 37 billion stolen records, up from about 15 billion in 2019, an increase that’s due to the broader scope of data modern criminals are targeting. Measures taken to contain the pandemic has made it easier for attackers to steal information. In particular, the work-from-home mandate of many organizations has opened the door wide for savvy cybercriminals: employees are using their personal computers for company work, they’re connected to poorly secured home networks, and they’re using more internet-connected devices, which increases the exposure to work data.

Between 2015 and 2020, the number of stolen records increased by 4,379% according to RBS, and with remote work likely becoming more prevalent after the pandemic ends, the number of stolen records will surely rise. Unfortunately, decentralized systems—as working offsite is—make it difficult for organizations to respond quickly to data breaches.

The potential for a data breach is one of three significant emerging threats that companies must carefully consider as they plan their post-pandemic operating environment. The two others, which are covered in the second and third installment of this series, look at how criminals are stealing people’s physical data to and the ever-evolving threat landscape. In general, threat actors are becoming more sophisticated, they’re stealing more information, and there’s no effective way for the majority of companies to protect themselves when a breach occurs.

Stealing from more sources

Historically, attackers have targeted credit card and social insurance numbers, and so companies have over the years developed effective strategies to protect this kind of information. Attackers are therefore getting more creative, which is getting easier as more devices are being innovated to be operated via the internet.

Take home thermostats, for example: the data stored in “smart” thermostats can help criminals identify behavioural schedules, such as when occupants are likely to be at home or away, based on the room-temperature setting. The criminals can use that information to plan other kinds of activities.

Furthermore, research has shown that some smart thermostats have vulnerabilities that when compromised allow remote attackers to monitor activity across the network the thermostat is on. They can then send the information back to themselves. With a plethora of Internet of Things (IoT) devices now installed inside homes and businesses–data-collecting dryers, information-rich mobile apps, and more–the variety of data a threat actor can access has grown exponentially.

This plethora of internet-connected devices and apps also means that protecting a single-entry point isn’t enough. Attackers have become more adept at piecing together bits of information to form a more complete view of someone’s life. They may have GPS information from a cell phone, photos they’ve grabbed from social media, and purchasing information from a credit card. Put all of that together and an ill-intentioned individual can learn a lot about their target’s personality, their family, and how they spend their days—and then use it to exploit their target’s vulnerabilities.

Holding people hostage

Threat actors can use that complete picture to create more personalized scams. That’s why a medical record, which is full of sensitive and specific information about an individual, is now far more valuable to attackers than a credit card number. According to one cybersecurity provider specializing in threat detection and response, a health-care data record could net up to US$250 on the black market while a credit card number may fetch just US$5.40. If a criminal knows that a person has a certain illness, they can create an email to look like it’s coming from the person’s doctor. The target will be far more likely to open something that appears to be from a trusted source than if it was a general phishing email.

This is important because of the way threat actors are now targeting both individuals and companies. Many are using sophisticated campaigns to trick people into putting malware onto their network, which is then used to shut down their systems—which the attackers promise to start up again in exchange for a ransom. In 2020, Deloitte observed a sharp increase in such ransomware attacks across all industries. The amount of the demands also rose, including some for many millions of dollars.

These attacks can be devastating, as they essentially hold a person or a business hostage until a ransom is paid. If a company doesn’t pay up within a certain time frame, the attackers could start releasing sensitive information or informing its clients, suppliers, and/or others that the business has been compromised. Companies tend to pay these ransoms because it can be even more costly to have a system offline for more than a day.

More protection ahead?

Over the last few years, new laws and regulations about how companies should protect the information in their care have come into effect. These include privacy laws and requirements, which relate to how organizations should safeguard personal information in a breach—such as the European Union’s General Data Protection Regulation (GDPR)—and specific rules for financial companies, such as the ones set out by Canada’s Office of the Superintendent of Financial Institutions (OSFI). Canadian privacy laws are currently being updated to increase the obligations and fines for non-compliant organizations.

Cyberattacks can also have a significant legal impact on a business. In many cases, victims of a data breach will launch a class action lawsuit, accusing the company of not doing all it could to protect their information and for not responding appropriately to the incident. Fines are being introduced in Canada for companies that don’t respect privacy and breach notification obligations. To mitigate their cyber risk, it’s important for organizations to follow not only their legal obligations, but also the leading practices of their industry.

In Canada, work is currently underway to improve the protection of individuals and businesses. In November 2020, the federal government introduced Bill C-11, known as the Digital Charter Implementation Act (DCIA), which could significantly change Canada’s private sector privacy framework. It includes elements from the existing federal privacy law–the Personal Information Protection and Electronic Documents Act (PIPEDA)–and the GDPR in Europe. It also codifies much of the Office of the Privacy Commissioner of Canada’s (OPC) previous regulatory guidance on key privacy issues. The goal is to give individuals more control over their personal information and provide companies more clarity on their data protection-related obligations.

Review data protection practices

There are several things business leaders can do to protect their company, their staff, and their clients. The first is to figure out what kind of information would appeal to threat actors and what sensitive pieces of data, if stolen, could result in reputational, financial, or operational damage for the company’s stakeholders. The next step is to determine what kind of regulatory, legislative, or commercial laws or requirements must be followed in order to protect that information. Then apply good industry practices to cover off any nuances that may not be captured in general regulations.

Next, leaders should look at what their organization is currently doing and how that compares to the requirements it must abide by. Most will discover a gap they’ll need to close, which they can do by developing a multi-year road map, complete with milestones to ensure progress is being made, and incorporating any new requirements that may come up over time.

It’s also important to educate employees about the importance of cybersecurity, especially now that many may be working from home, and to ensure they have the appropriate tools they need to do their jobs so that they’re not using personal technology, which may not have the right protections.

Working with a company that can help develop a strong cybersecurity plan as well as respond to breaches is critical, especially with attackers becoming more sophistated all the time. While protection is steadily improving, the threat of a breach will never go away.

In the next article Stealing physical data in a digital world, we explore how work-from-home is increasing the risk of a cybersecurity incident.

Acknowledgments

Adrian Cheek
Manager, Threat Intelligence & Threat Hunting, Deloitte Cyber Intelligence Centre

Hélène Deschamps Marquis
Partner and National Leader, Data Privacy and Cyber Security Law Practice

Beth Dewitt
Partner and National Leader, Data Protection and Privacy and Board Director