As 2013 draws to a close, it has become clear that every major industry maintains sensitive data, and has been targeted by hackers. This year ushered in a new batch of highly publicized data breaches that affected millions of consumers, many of whom became the victim of identity fraud. From an enterprise standpoint, these breaches not only eroded consumer trust, but they also open businesses to fines, penalties, and class-action lawsuits for not properly securing private data. Based on the increasing volume of data businesses now manage, and the growing capabilities of cyber criminals, I expect the following scenarios to become more commonplace in 2014:
ID thefts to target Affordable Care Act
Medical identity fraud is a lucrative source of income for perpetrators who bill for fraudulent medical services or obtain insurance, government benefits or prescription drugs. Medical fraud endangers patients' health and costs consumers millions of dollars each year. While hospitals and providers will remain targets of criminal rings seeking personal health information, newly created health insurance exchanges under the Affordable Care Act create new security risks for millions of Americans.
By their nature, "exchanges" are designed to swap vast amounts of health information among insurance providers and other entities. Health insurance exchanges are new and untested. While funding for these exchanges varies by state, many are underfunded and understaffed. Perhaps most alarmingly, these exchanges are not required to comply with HIPAA security and privacy regulations.
All of this adds up to a situation ripe for a slow-leak attack. In this scenario, an attacker would pose as a small insurer, siphoning an inconspicuous but steady stream of personal health information. Undetected for a long period of time, an attacker could steal millions of identities, with devastating consequences to the financial and physical health of millions of Americans.
More focus on data classification
As businesses collect more data, data classification will become an essential strategy for managing the entire sensitive data lifecycle. Even medium-sized enterprises now have big data. Corporate systems are full of sensitive information including employee records, customer files, health data, credit card data, billing information and intellectual property. But as the proverbial haystack of big data grows, finding and protecting the needles of sensitive data is becoming more necessary by the day. Discovering and classifying information is essential to minimize breaches. That's why sensitive data discovery and classification is the starting point for many regulations including HIPAA and PCI-DSS 3.0.
Better accounting for costs of data inventory
Transparency, data classification and awareness will become increasingly essential to manage organization risk associated with lost sensitive data. By most estimates, more than two-thirds of all breaches occur when data is at-rest, usually due to accidental leaks of old, forgotten copies of sensitive data. Smart American businesses will begin to account for the liabilities associated with sensitive data, much like they account for carrying costs of inventory. Enterprises that underestimate the carrying costs of sensitive data will be more prone to data breaches and losses in 2014. The costs and liabilities of maintaining a large data inventory go far beyond server and cloud storage costs. Whether corporate data inventory is stored on hosted servers or the cloud, some companies only calculate storage or warehousing costs when calculating the total carrying cost of data inventories. But data carrying costs include shrinkage, inventory control and other costs.
These costs include risks of loss or theft, which are readily apparent as employees expose their employers to larger and more frequent data breaches as they use bring-your-own-device (BYOD) tablets, smartphones and syncing services like Dropbox to work outside their office more conveniently. The lines separating the office, home and the home office are quickly fading, meaning that sensitive data more freely flows among secure and insecure devices.
American businesses already pay for ignoring their bloated and unprotected sensitive data inventories, and will pay even more in the coming year unless they begin to account for all data inventory costs. Enterprise ledgers should now include line items for the risks and costs of sensitive data inventories.
