Will ‘The Year of the Hack’ affect consumer and business security practices in 2015?

Months of headline-grabbing data security breaches led many to declare 2014 “The Year of the Hack.”

Although there was a big uptick in security incidents (more than 42.8 million, or a 48 per cent increase over 2013), what really distinguished 2014 were hackers’ unprecedented tactics.

Despite the dire effects of these breaches, many consumers and small- and medium-sized businesses, or SMBs, haven’t changed their online security practices.

The 'Year of the Hack’ in Review

Two types of hacks dominated in 2014: for-profit and for-harm.

For-profit hacks - such as the Target attack in late 2013 and the breach at The Home Depot months later - stem from hackers looking to steal personal or financial information to sell on the dark web. These attacks are costly for insurance companies, banks, and corporations and usually force a company’s reputation (and stocks) to take a tumble.

The trend that emerged in 2014 was the for-harm attack, carried out by hackers wanting to bring harm, humiliation, or ruin to a person or brand through manipulation, intimidation, or coercion. Iranian hackers dealt a blow to the Las Vegas Sands Corp. for inflammatory comments made by its CEO.

In Sony’s situation, hackers going by the name Guardians of Peace stole more than 100 terabytes of corporate data and leaked confidential information. The group threatened public harm and corporate embarrassment unless the studio halted the release of “The Interview.”

The Sony breach shut down operations for more than a day and damaged reputations and relationships. The hack is projected to cost $200 million in losses. Cyber security firm Mandiant declared the methods “unprecedented”; the FBI released an alert warning businesses of the threat posed by copycat hackers.

SMB and Consumer Reactions to the 2014 Cyberattacks

Unfortunately, these events have had little to no impact on SMBs and consumers. Despite the hacks’ ongoing repercussions, research reveals that IT professionals at SMBs still have nonchalant attitudes regarding breaches.

• Sixty per cent of IT professionals at SMBs say recent breaches haven’t significantly impacted their security policies.

• Sixty-four per cent say that 2014’s hacks won’t influence their 2015 security purchases.

• Seventy-seven per cent of respondents identify their employees - not their security infrastructures - as their biggest vulnerability.

These results indicate that many SMBs don’t believe they’re targets and, therefore, don’t need additional security. In reality, hackers don’t discriminate by size. Many target SMBs because they lack the resources to establish robust security measures or have connections to other companies.

Meanwhile, consumers are becoming numb to breaches, thanks to more frequent attacks, increased media coverage, and a lack of direct consequences. Although half of consumers have been affected by a breach, 45 per cent say that recent breaches haven’t affected their debit or credit card use.

This nonchalance comes at a cost. Consumers disconnected from security matters are less likely to protect themselves, and they’re ill-equipped to identify threats or recognise cases of identity theft. They’ll share in higher costs as companies offset losses by raising prices.

Looking Forward in 2015

To protect their operations and customers, SMBs must implement 360-degree plans, paying particular attention to:

Policy. IT departments should establish cloud security policies that touch on device management, specifically the prevalence of BYOD. They should establish consequences for failing to adhere to cloud usage rules and ensure employees have tools to securely collaborate at work and on the go.

Information. SMBs need to educate management, employees, and consumers on security misconceptions, the dangers of breach fatigue, and the procedures for reporting a potential threat. HR should educate staff on the impact and cost of a breach, as well as the tactics criminals are using.

Defense. While a large in-house IT organisation may not be possible, data defense and detection shouldn’t be neglected. Managed service providers can help SMBs find affordable all-in-one or subscription-based detection systems to evaluate company security needs and implement and monitor a security infrastructure.

Mitigation. SMBs should create an incident response plan, or IRP, outlining what to do if a breach occurs. This includes classifications of attacks with steps to take, contact information, remediation plans, and crisis communication notes. SMBs should consider cyber security insurance to protect against lawsuits and include the PR department for its expertise in crisis communication.

2014’s hacks proved that SMBs and consumers will be more frequently and directly impacted by breaches. It’s important for SMBs to invest in protection and education before they find themselves making headlines and losing customers because of a breach in 2015.

Tom Smith is the VP of business development and strategy for CloudEntr by Gemalto, where he is helping to define and execute Gemalto’s identity and access initiatives in the cloud.