Michael Bruemmer is Vice President of the Data Breach Resolution group and Consumer Protection at Experian. Why does he believe security can serve as a calming force during the COVID-19 pandemic?
Security magazine: What does the data breach landscape look like in the next six months?
Bruemmer: First, COVID-19 scams are not going away anytime soon, so there will always be personal and business threats related to the pandemic. Small businesses are very vulnerable as they don’t have the resources to put behind security. In Verizon’s Business 2020 Data Breach Investigations Report, it’s reported that small businesses have made up 28 percent of the breaches so far this year.
Second, with the continued expanded footprint of employees working from home and not necessarily behind a more secure firewall, the risk for data breaches remains high. In a recent report from Bitglass, findings showed 70 percent were "only moderately prepared to not at all prepared” for securing systems with employees working from home. Phishing and malware attacks should be a top concern, and employee training is the best way to address this issue.
Last, we are seeing more data breaches related to government PPP plans, unemployment compensation and firms accepting employment applications, to no surprise.
Security magazine: What are some things that security can do to keep their cybersecurity shored up right now in light of other big priorities?
Bruemmer: With the current climate, hackers are even more aggressive right now. They are unleashing email or texting phishing campaigns, preying on consumers’ distractions and stress. Phishing scams are a favorite of cybercriminals because they are easy to execute and have a great return. If they unleash thousands of texts and/or emails they only have to be successful one time to reap benefits. Hackers can purchase databases easily on the dark web for low cost, so there is no lack of possible targets for their attacks.
We also see that a trend with hackers is they are being more patient than ever and infiltrating systems but just remaining "hidden." They are taking time to do this across all industries that are getting affected by the pandemic. As soon as we get the "back to normal" order, businesses are going to focus on everything else to get back on track, but cybersecurity may not be a top priority, and then the hackers will spur into action.
So it is important that organizations not only focus on their external defenses, but also the internal ones. Often, organizations get too focused on the external portion of a security defense program. However, once a cybercriminal gets inside the system the rest of the fences are too soft, so it is easy for the thieves to wreak havoc from that point. Thus, there are two recommendations we have for organizations:
1. Have a strong monitoring capability on the inside that provides alerts to intrusion. If a cybercriminal got past the perimeter defenses, there are still more hurdles for them to overcome to actually steal the data or cause disruptions.
2. Develop a strong security training program for employees. They continue to be the weakest link in a company’s security posture. They should be trained on topics such as phishing scams.
In addition, a relatively new approach but very beneficial is to set up “deception grids,” which are tools that set up fake systems. If a criminal got past the perimeter defenses and is inside, he/she has multiple systems to navigate without knowing which are real or fake. If a company is alerted to intrusion in the fake system, they can gain a better handle on how to manage the incident and are safeguarded from real data being exposed or stolen.
Last, a few cornerstone approaches every organization – no matter how large or small – can deploy is to segregate their data, have monitoring tools in place, and encrypt the data, server, database and application-levels. The key is a true layered defense strategy.
Security magazine: How can security serve as a calming force during the pandemic?
Bruemmer: When security is shored up, business can focus on other priorities, which right now, are many. Security should always be consistently tended to no matter the circumstances. This enables organizations to maintain business continuity, customer and client service levels and employee well-being intact in times of crisis. Cybercriminals will always be there attacking systems, so it’s just a matter of being vigilant and trying to stay one step ahead.
Security magazine: What are some of the tangential data risks that organizations face as a result of remote workforces?
Bruemmer: The vulnerabilities comes with setting up systems for remote workers ensuring all of the fences are set up and working appropriately. These include measure such as antivirus, endpoint and remote support solutions, usage of VPN vs. employees’ home networks, which may not be as secure as the company’s network.
There is also the increased usage of virtual meeting providers so third-party risk is there. Many companies already have a provider they have vetted but many are deploying a platform for the first time. They should work with a credible company that can provide their security protocols and practices for virtual connections. Employees should avoid downloading any software that is not authorized by their company on their work computers, especially for those services that are free.
Security magazine: What other opportunistic attacks — such as phishing scams — have you seen around COVID-19 so far?
There is no doubt this has been “prime” time for cybercriminals. In fact, it was reported by security firm Barracuda Networks that there was a steady increase in the number of coronavirus-related email attacks from January to February of 667 percent. We saw reported in April from Google, that there were more than 18 million daily malware and phishing emails related to COVID-19 scams in one week. That was on top of the more than 240 million daily spam messages it sees related to the novel coronavirus.
Typical scams are preying on consumers’ desire for protective gear such as masks or a fake charity asking for donations. I personally have received many phishing texts since the beginning of February, including from entities I do business with such as Marriott Bonvoy. It is similar to any type of time period where there is something large-scale going on the national radar such as a presidential election, Superbowl or like a pandemic – criminals use the lure of the event to trick consumers.
Security magazine: What should security professionals be documenting during the current pandemic response for better after-action assessments or revising procedures after the outbreak?
Bruemmer: As with any time period, organizations should be vigilant and make sure they are paying attention to their security. They should be prepared however, for a data breach to occur. The key steps are to have a data breach response plan in place with a dedicated response team identified and external partners secured, such as legal counsel and resolution providers that can offer call center, breach notification and identity theft protection services. It is better to have everything in place before a breach happens.
Overall, security must be a priority for the company at the highest levels. not just for the IT department.
Only 72 percent of respondents in our annual corporate data breach preparedness study say they have an employee security training program, which is down from 73 percent the year prior. This number should be increasing. When asked how often the training is conducted, 49 percent do it as part of their onboarding of new employees, only two percent do it every six months and 24 percent conduct it annually while 25 percent conduct it sporadically. Also, only 50 percent train employees on phishing scams, while 69 percent of respondents had experienced phishing attacks in the prior 12 months.
Companies recognize this is a problem, though. A majority of respondents (87 percent) say employee negligence has a significant/very significant influence on their security posture.
With the current situation, this weakness will really come to light and hurt companies. It’s an easy area to address and improve, however, and I recommend that training be conducted at least annually.
Right now, the best organizations can do is send out email reminders to employees and make sure to cover security protocols for all mobile devices, personal computers and accessing the internet, since many employees are working remotely.
Security magazine: Please share your story about growing the Experian office in Austin, Texas. How has it become the center of some of the company’s identity protection and dark web capabilities?
Bruemmer: Our Austin office grew from a handful of employees to more than 200 today. This was through organic growth and an acquisition. I’ve been with Experian eight years and initially, our data breach business was responding to live incidents. However, I spearhead the growth of our Rapid Response program, which works with companies on data breach preparedness and long-term partnerships that guarantee our services and response times if an incident should occur. Companies that secure partners ahead of time are much better positioned to prevent and respond to data breaches.
Our dark web capabilities are one of the latest innovations we developed, which is offered to clients and directly to consumers in our products. In Austin, our team handles engineering, client service, sales, marketing and product. We also have an office in San Diego and analysts in many countries with different language proficiencies to penetrate dark web forums abroad.
Security magazine: What do you like to do in your free time?
Bruemmer: In my free time, I road bike just about every day and plan to ride in MS 150 charity events to raise money for the treatment of multiple sclerosis.