global fraud

In a true sign of the times, companies participating in this year’s Global Fraud Survey reported that information theft is now the most common form of fraud. With 27% of companies reporting incidents within the past year, the theft of information surpassed the theft of physical property for the first time in the four-year history of the Survey. Some industry sectors were particularly hard hit, foremost among them financial services (42%, up from 23% the previous year), professional services (40%, up from 23%), and Technology, Media and Telecoms (37%, up from 15%). And while companies clearly recognize the increasing severity of the problem, to some extent they feel unprepared to deal with it: 77% of respondents believe that their companies are vulnerable to information theft.

Given the financial, legal, and reputational risks that go hand-in-hand with a data breach, failing to prepare for one is to court disaster. When an incident occurs, there is no time to learn on the fly, so having a response plan already in place is critical. While there is no such thing as a one-size-fits-all response plan, the best plans tend to share common elements. In particular, they are designed to accomplish five key goals:

1. Provide the proper resources for early detection

Too often, the first indication that an incident has occurred is a call from a victim complaining that an account has been looted or, worse yet, a reporter writing a story on a breach. A solid plan should contain a strategy for detecting potential problems at the earliest possible stage by integrating technology (e.g. intrusion detection and prevention systems, log analysis, anomaly analysis) with a robust training regime to ensure that key personnel understand what to look for and what to do when they suspect that something is wrong.

2. Determine if the breach event is still happening and then “stop the bleeding”

Too many companies concentrate immediately on the process of notifying victims before they know all the facts. A good response plan should include a clear process for determining – with forensic accuracy – what did and did not happen and whether any of it is still occurring. Many malicious software attacks have, as part of their structure, elements designed to keep the malware in place long after the initial intrusion. This can lead to automated re-infections weeks or even months after a system is thought to be cleansed and the subsequent compromise of additional data. Absent the certainty that sensitive information is no longer being compromised, it is impossible to mount an effective response.

3. Determine the scope of the breach

In the event of a breach, the extent to which data has been compromised is not always readily apparent. In some instances, the situation is far less serious than suspected. For example, reverse engineering of malicious software can sometimes reveal that the malware did not actually work – i.e., an intrusion without the data loss. In other cases, analysis of the criteria by which a malicious software program selects records to target can show that, since fewer records meet those criteria, the loss was much smaller than originally feared. On the other hand, sometimes the loss is more extensive than initial appearances might suggest. Either way, it is vital for companies to discern the universe of compromised information with enough accuracy – and evidence – to justify their subsequent course of action.

4. Determine who is responsible for the breach and attempt to recover lost data

The loss of information sometimes stems from the loss or theft of a physical object – e.g., a laptop computer, USB drive, or disc – often due to the carelessness or misconduct of an employee. In circumstances like this, a good response plan will provide a process and the resources to conduct a solid fact-finding investigation into the circumstances of the loss. A prompt and robust investigation can often lead to the identification of the person or persons responsible for the loss, which can, in turn, result in a more detailed understanding of the extent to which the data has been disseminated. In some instances, the lost information can even be recovered, reducing or eliminating the need for notification.

5. Determine and comply with legal obligations

In the United States, the regulatory regime for data breach is extremely confusing, with different requirements for different industries and different states. With the exception of the Health Information Technology for Economic and Clinical Health Act (HITECH), which contains breach notification mandates for entities covered under the Health Insurance Portability and Accountability Act (HIPAA), there is no overarching federal law governing breach notification. Instead, there is a patchwork of laws from 46 states and two territories. These laws present varying and sometimes contradictory requirements regarding the entities to be notified and the information that can and cannot be included in the notification letters. A good plan will provide the professional resources necessary to clearly determine the nature and extent of the company’s legal obligations and develop a viable strategy for complying with them.

Without question, a well-crafted response plan can go a long way toward mitigating the damage that flows from a data breach. Better yet is to take proactive steps to prevent incidents from occurring in the first place. Some recommended steps are described below:

  • Data Mapping – It is critical for companies to understand where and in what form their sensitive data is stored. An awareness of where that data resides and how it is transferred both internally and externally can serve as the foundation for sound policies and procedures to mitigate significantly the risk of breach.
  • Vulnerability Testing – Regular testing to identify vulnerabilities that a hacker or dishonest insider might exploit are also vital. There are excellent tools to do this, although many organizations elect to engage specialists who have a depth of experience in responding to incidents and extensive knowledge of the latest threats.
  • Use Encryption – Many of the statutes relating to data breach provide for exceptions when the data in question was encrypted. Because of this, the use of encryption, particularly for data in a form frequently associated with data loss incidents – e.g., data stored on portable devices and back-up or archival data stored on tapes – should be considered a best practice. Many application programs also permit data to be encrypted while residing in a database, another practice that provides protection with little added risk.
  • Policy Review – In a world of rapidly evolving threats, changing legal requirements, and new outsourcing technologies like cloud computing, it is imperative to review policies at least annually.

Given the current trends, there is every reason to expect next year’s survey to show an even higher prevalence of information theft. With some smart advance planning, there is every hope that companies will be better prepared.

Leave a Reply