Managing the Cyber Domino EffectExperian's Bruemmer on the Growing Toll of Multiple Breaches
The 'Cybersecurity Domino Effect' is a new term to describe the cumulative impact of multiple data breaches. How should organizations and individuals respond? Michael Bruemmer of Experian offers guidance.
The term was popularized in a recent Forbes magazine piece, and industry experts have subsequently adopted it. But Bruemmer foresaw this domino effect last fall, when he made his 2015 breach predictions.
"The idea is that the Internet of things and their interconnectedness would impact organizations once a breach occurred, or a number of breaches in succession," says Bruemmer, VP of Consumer Protection at Experian Consumer Services. "In my opinion, it simply means it's the wave of cybersecurity events and data breaches that would come and create a cumulative privacy and cybersecurity issue for organizations and individuals alike."
The direct impact on individuals? The risk of identity compromise from a succession of incidents that may not be directly related.
"PII that is compromised by one event can be combined with [that affected by] another event to cause additional harm," Bruemmer says. "And we're seeing that more often from our Fraud Resolution team as they try to help people."
And the impact on organizations only swells from there, he explains.
In an interview about the cybersecurity domino effect, Bruemmer discusses:
- The cumulative impact of breaches on individuals and organizations;
- The criticality of identity theft protection immediately following a breach;
- How to prepare to mitigate the impacts of this domino effect.
Bruemmer is VP, Consumer Protection at Experian Consumer Services, formerly Experian Data Breach Resolution. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
Defining the Domino Effect
TOM FIELD: We recently have heard a lot of discussions about the so-called 'Cybersecurity Domino Effect'. Please put the term in context for us.
MICHAEL BRUEMMER: Well, recently Roy Rothrock, who is a Forbes writer, talked about it, and this refrain about the cascading impact across the enterprise of different things has been repeated by other industry experts. The idea actually picks up on something that I talked about in some of my 2015 predictions that I made last December about the data breach industry and cybersecurity, on the fact that the Internet of Things and their interconnectedness would impact organizations once a breach occurred, or a number of breaches in succession. So, in my opinion, it simply means it's the wave of cybersecurity events and data breaches that would come and create a cumulative privacy and security issue for organizations and individuals alike, especially with PII or PHI that's at risk.
Impact on Individuals, Organizations
FIELD: Mike, what do you see as the cumulative impact of the cyber security domino effect on an individual, as well as on an organization?
BRUEMMER: The cumulative impact for an individual is that their identity is put at risk or even compromised by the succession of incidents that may or may not be connected. So PII that is compromised from one event can be combined from another event to cause additional harm. And we're seeing that more often from our fraud resolution team as they try to help people.
For an organization, it is slightly different. With so many subcontractors, vendors, partners, clients and business associates, any event in the interconnected supply or delivery chain can have far-reaching issues on a company's ability to defend itself and to respond to a data breach. This puts added pressure on consumers, patients and subcontractors alike.
FIELD: So, as we sit here and talk right now, it's likely that someplace, somewhere a data breach is happening, which indicates that the domino effect is only going to increase. So what does this mean for individuals in terms of, one - how should they respond to a breach notice from an organization?
BRUEMMER: Well, it sounds very simple, Tom, but the first thing is read it. Second, the most important action is to follow the instructions on how to protect yourself. Many times simple preventive measures like shredding documents or improving password length and complexity are [helpful]. Companies understand that breach response is much more than a compliance exercise, and they want to regain the trust of the affected parties. So the simple advice they give is the first thing that you should take note of.
Value of ID Protection
FIELD: Well, Mike, one of the first things that always comes up is identity protection. So what should individuals do when they are offered identity protection in the wake of a breach?
BRUEMMER: First, Tom, recent surveys from Ponemon tell us that 63 percent of consumers want identity theft protection offered as part of a breach response. And almost that same percentage expects the company to provide expert call center resources to answer questions related to the incident. Simply put, if identity theft protection is offered, you should always take action and sign up. Taking no action or waiting until bad things have happened only to call a toll-free number provided is actually the worst thing an affected party can do. Signing up for a product like Experian's Protect My ID takes three easy steps, and then you've got access to things like a credit report, ongoing fraud surveillance, dark web surveillance, some identity theft protection insurance and then your best fraud resolution to be able to solve any issues that may come up because of the event or even events that have occurred before the announcement was made.
FIELD: Well then, Mike, we both know identity theft protection isn't enough. What do individuals need to do to be vigilant beyond that level of protection?
BRUEMMER: Consumers are in the best position to review any alerts for fraud from the services an identity theft protection product would provide. Still there are additional steps consumers can take to prevent fraud, and some examples include paying attention to the basics, like if your mail was stopped or redirected, new credit card offers or delinquency notices from accounts you didn't recognize. You should check your account transactions or sign up for things like the free bill guard app that has Protect My ID membership embedded in it. And finally, never reuse any passwords and make them longer; up to 15 alphanumeric characters is what is recommended by most professionals.
FIELD: So to this point we've talked mainly about individuals. How about organizations, what should they do to respond in terms of how they prepare themselves, their employees, their customers, from the impacts of multiple incidents, as you said a domino effect?
BRUEMMER: We have a data breach response guide that we update annually, and we've seen top organizations take the advice and already have a practice response plan in place prior to a breach. The easiest and most cost-effective investment from a planning perspective is job specific employee privacy training about cyber security and the fact that nearly 80 percent of the breaches that we service -- and we serviced about 3400 last year -- actually address this training issue because those breaches were due to employee negligence. t's not a point-in-time exercise, but it's an ongoing regular exercise. As we've seen in recent weeks, many organizations have had multiple cybersecurity events that happened in succession, so that employee and privacy training is done either semi-annually or quarterly, is very important.
How to Do the Right Thing
FIELD: So, Mike, if you were to sum up, what steps do you recommend for individuals and organizations alike that want to stand up and do the right thing to minimize the impact from the Cyber Security Domino Effect?
BRUEMMER: My top three personal recommendations are, number one, take an inventory of where all your PII or PHI might be and how it is protected currently. This is just like you would do for your valuables in your house or your possessions in a safety deposit box in a bank. Second, don't give any sensitive information to other people if you do not have to. And third, never click on a link or download any files unless you've just communicated with the person who advised you, and you know them, and you've just received that from them. Keep in mind that three out of four of the largest breaches we have serviced in the past year started from a simple spear-phishing attack where someone clicked on the wrong link.