The Vice President, Data Breach Resolution of Experian, Michael Bruemmer, explains the ABCs of what a data breach is. This is essential reading about quick breach resolution.
Today, be it ordering food or making payments, we have rapidly moved to the digital haven of technology. The more digitally savvy our world is becoming, the more exposed we are to data threats. In this interview, the Vice President, Data Breach Resolution of Experian, Michael Bruemmer addresses data breach issues and shares insights on what data breach resolution is.
Experian helps individuals and businesses to make smarter decisions and lend finances more responsibly, so organizations can prevent identity fraud and crimeOpens a new window . We discuss how data breaches may lead to identity theft and can be a big threat to small businesses.
Michael talks to Toolbox about how companies can best prepare themselves to respond to data breach issues. He points out key areas of improvement and the costs involved to manage and resolve a data breach. As an expert in the field, Michael answers questions on: How data scientists and tech professionals can deal with data breach? What steps should IT practitioners take to counter security threats? Which major trends to follow in this space that will leave an impact in 2020?
Key takeaways from this interview:
- Stepwise guide to identify security threats for tech professionals
- How to design data breach review programs
- Trends to track that prevent data threats in 2020
Learn how to develop an effective data security plan as Michael shares his trade secrets with Toolbox:
Michael, to set the context, what is data breach resolution?
Data breach resolution is the process that prepares and supports companies that have experienced a data breach. Companies that receive data breach resolution services are assisted throughout the data breach response process to minimize the negative impact to the brand. From notifying the impacted customers and/or businesses, to resolving the issues, data breach resolution guides the company towards an effective response to the impacted parties. Whether it’s a hacking, skimming or phishing occurrence, data breach resolution has evolved to ensure companies are able to navigate their specific data breach case based on the type of incident that occurred.
If an organization faces a data breach, what are the true costs of managing it? What are your recommendations for organizations which are ill-prepared to counter security threatsOpens a new window ?
The Ponemon Institute reported that the average cost of a data breach in 2018 is up to $3.86 million, which is a 6.4 percent increase from 2017. The financial cost to manage a data breach varies based on the type of breach, the extent of the damage caused by the breach and many other variables pertaining to the company and their incident. For those businesses that have already committed the resources to have a data breach plan in place, they will have less of a cost to manage it compared to an organization that wasn’t prepared to handle a breach. Companies that have a data breach plan in place can quickly communicate appropriately to the affected customers and/or partners. By doing so, brands will minimize the damage to their reputation by taking swift action and diminishing the opportunity for a backlash against the company, which will decrease sales. In addition, the thorough communications to customers and partners will enable businesses to take the initial first step of regaining the trust of customers and other organizations.
Also Read: Setting Big Data Standards to Improve Data Collection and UsabilityOpens a new window
There’s a lot of anxiety around data breach issues such as identity theft and internet security. What are your tips for data scientists and tech professionals on how to deal with data breach issues?
Data scientists and technology professionals should stay educated about the emerging cybersecurity solutions and techniques being utilized. By staying abreast of emerging threats, professionals will be better prepared to handle data breach issues. In fact, being knowledgeable of cybersecurity practices should empower individuals to be an ambassador within their company to encourage all employees trained to ensure data breach protocols are being followed and implemented throughout the organization. To limit the anxiety of employees, businesses can work with cybersecurity experts to better educate their staff and develop practice drills for the team to refine their response tactics for a data breach.
For a deeper understanding of data breach and its operations, how does a ‘fraud response cycle’ work?
When putting together a data breach response plan to address fraudulent activity, a business’ data breach response team should identify all top security risks and potential data that could become compromised. A business should create an audit of previous data breaches and threats, incidents that occur in the industry, the business’ current data breach responses practices in place and how the plan might evolve over time. Depending on the sensitivity of data at hand, an organization might want to adjust its communications internally and externally, but when it comes to identifying the top security risks, it’s better to be as specific as possible.
Do you feel early breach detection is critical for cybersecurity professionals? How does it impact data security?
Absolutely, the earlier a cyberattack is identified, the quicker the issue can be addressed and unauthorized access to data stopped. Oftentimes, hackers are permeating systems for long periods of times using the drip method of stealing small pieces of data to test the security before taking the entire data set. Securing the area that was breached by cybercriminals enables the company to reduce any further exposure. In addition, if the breach is spotted quickly, it provides the hackers with less time to cover their path to access the data. The use of real-time monitoring solutions enables employees to receive alerts of a breach to move quickly to resolve the issue.
If a CTO had to implement a data breach review program, what are the typical missteps s/he should avoid?
A misstep that is taken with the implementation of a data breach review program is believing the program is complete. Cybersecurity strategies are constantly evolving, so a company’s program needs to remain up-to-date and adjust the program to address the current cybercriminals strategies. By not updating the program with the latest industry knowledge, an organization is increasing its data breach vulnerability. In addition, not viewing cybersecurity as a priority is a major misstep—a single data breach has the potential to damage the reputation of the company. Brands should wisely allot time for a data breach review program assessment to accurately evaluate the materials and resources, so the proper procedures can be implemented to prevent a future data breach.
Also Read: How to Use Biometrics to Ensure Security: An Interview with Ned Hayes of SureIDOpens a new window
What are the key factors to consider in developing an effective incident response plan and get C-Suite buy-in for data breach prevention?
Generally, senior leadership is in the dark about the specific security threats facing their organizations and their participation in data breach response plans is mostly reactive. However, when senior leaders are more informed, it makes a difference and is a key factor in having the data breach response program be effective. Our recent study, Is Your Company Ready for a Big Data Breach?Opens a new window , revealed that 51 percent of C-suite executives are knowledgeable about the company’s plans to deal with a data breach. C-suite executives and boards of directors who are knowledgeable and actively engaged in incident response plans can reduce the likelihood of a data breach. That sentiment was supported in the findings of the study, which revealed 81 percent of respondents believed increased participation and oversight from senior executives would enable to company’s data breach plan to be more effective.
Organizations that have engaged leadership invest more in IT and employee training, often have a C-suite level executive in place and apply time and resources towards preparedness such as enlisting security partners with pre-breach agreements so they are ready immediately to provide support if a breach occurs. C-suite executives understand the importance of protecting a brand’s reputation, so enlisting security partners with pre-breach agreements so they are ready immediately to provide support if a breach occurs, is a tactic that will enable the company to overcome a breach.
C-suite executives should be on the data breach incident response team, along with senior executives who represent areas such as IT, public relations, human resources, and operations – because these are essential functions when handling the aftermath of a security incident.
How can IT professionals design a data security strategy that can accommodate both changing threats and legal needs?
Data breach prevention and incident response is not only the responsibility of IT or Infosec. It’s a company-wide responsibility. As the threat of data breaches become no longer a matter of “if†but “when,†it’s never been more important for organizations to have a strategy in place to deal with the fallout with collaboration across teams.
Organizations should identify an individual that will lead the data breach planning and remain in communication with additional senior executives to align on plans. Practice is a necessity to perfect the design of the strategy to ensure seamless communication between departments that is then shared with partners and/or customers impacted by the data breach. The IT team will train people in data breach response techniques. In the case of an incident, they will isolate contaminated machines, preserve evidence and work with a forensic firm to identify the compromised data and draw up a report detailing the breach with a plan to prevent future attacks. To become confident in the plan, businesses should dedicate half of a day to conduct a simulation exercise. For an effective drill, businesses should consider engaging an outside partner to facilitate and moderate. It’s also a good idea to include external partners in a drill, such as legal counsel and a data breach resolution provider.
Following a data breach occurrence, a senior executive in the legal department will determine what the team needs to adequately respond to the incident and then coordinate the response, both internally and externally.
Businesses need privacy and compliance experts to help navigate any potential lawsuits and fines that a company may be at risk for after a breach. They will help with how to advise impacted individuals, as well as government agencies, the media and others.
What trends are you tracking in this space for 2020?
Each year we issue an industry predictions forecastOpens a new window so I’m closely watching if some of the predictions came true; we addressed emerging trends such as the vulnerabilities of biometrics and the gaming industry becoming an attractive hack surface. I’m also monitoring areas such as artificial intelligence (AI), machine learning (ML), and crypto mining malware developments. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Crypto mining has also become more popular with the rise of Bitcoin, Ethereum and other cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.
Neha: Thank you, Michael for sharing your insights on data breach resolution and how organizations can prepare themselves. We hope to talk to you again soon.
About Michael BruemmerOpens a new window :
Michael Bruemmer is Vice President of Consumer Protection at Experian, where he helps businesses plan for and mitigate consumer risk after data breach incidents.
About ExperianOpens a new window :
Experian is the world’s leading global information services company. During life’s big moments — from buying a home or a car, to sending a child to college, to growing a business by connecting with new customers — Experian empowers consumers and clients to manage their data with confidence.
Found this interview interesting? Do share your views and opinions on data breach resolution with us on TwitterOpens a new window , FacebookOpens a new window , and LinkedInOpens a new window . We would love to have a great conversation with you!