May 4, 2017
This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at (800) 497-1737, firstname.lastname@example.org, or crisisresponsepro.com/signup.
Verizon has released its annual report on data breaches, and the most interesting section this year is on the different types of intrusions companies face depending on the industry they’re in. This should be of keen interest to crisis communicators because it focuses the mind on what to be prepared for in terms of both prevention and response.
Some types of breaches are more prevalent in certain industries than others. Point-of-sale intrusions are a huge problem in hospitality but obviously not in manufacturing. In fact, hospitality (Verizon calls it “accommodation and food services,” which includes hotels) is the industry with the highest concentration of point-of-sale break-ins.
For example, last year Millennium Hotels & Resorts had a “data-security incident involving food and beverage point-of-sale systems at 14 of its hotels in the United States,” according to a statement at the time.
In manufacturing, the No. 1 pattern is cyber-espionage — people trying to learn trade secrets. More than 91 percent of the stolen data in manufacturing are secrets. “A great way to make something cheaper is to let someone else pay for all of the R&D and then simply steal their intellectual property,” Verizon writes in the report.
It’s important to keep that sensitive information segregated with limited access to it. Another point is that cyber-espionage is often done through so-called phishing emails — messages with a link or attachment that will compromise a computer system. Training employees not to fall prey to that is key. This type of breach would probably entail communicating about a lawsuit against the perpetrators (assuming they’re caught) rather than, say, explaining a payment-card breach that directly affects customers.
‘Denial of Service’
Retail is split between online and bricks-and-mortar sellers. For the e-commerce companies, the biggest headache is a “denial of service” attack, which interrupts access to a computer network, including a website. For physical stores, it’s payment-card skimmers. Similarly, in the finance area, retail banks need to worry about skimmers installed on ATMs, but investment banks don’t.
For educational institutions, the second most common type of incident (after cyber-espionage) is miscellaneous errors. Schools face a particular problem in that students have varying degrees of technical skills. In this area, 30 percent of the “threat actors” were employees, students, and other internal people. “The breaches involving internal actors were mostly attributable to human error — notably misdelivery of sensitive data and publishing errors, as opposed to malicious intent,” Verizon wrote. Obviously students need instruction on how to avoid breach pitfalls.
Privilege misuse (employees wrongly accessing data) is the top pattern in health care — the only industry where insiders pose a bigger threat than outsiders (68 percent vs. 32 percent).
Finally, theft and loss are also big problems in health care. For example, last year the University of Mississippi Medical Center settled with the federal government over a laptop that went missing.
The Verizon report can help companies view data breaches not as some indistinguishable whole but as a threat with many varieties. Crisis teams should focus on some rather than others depending on their industries. In the best scenario, such preparation would ward off a breach. But if one does happen, the planning should help with a smart communications response.
— Thom Weidlich
Photo Credit: George Rudy/Shutterstock
CrisisResponsePro subscribers can take a more in-depth look at this story by clicking here (ID and password required). To become a CrisisResponsePro subscriber, contact us at (800) 497-1737, email@example.com, or https://crisisresponsepro.com/signup/.