Tom Heintjes: Hello, and welcome back to another episode of the Economy Matters podcast. I'm Tom Heintjes, managing editor of the Atlanta Fed's Economy Matters magazine, and today we're talking about data breach prevention with Nancy Donahue, a manager in the Atlanta Fed's Retail Payments Risk Forum, or RPRF. Nancy also contributes to Take On Payments, the blog from the Retail Payments Risk Forum. Nancy, thanks a lot for taking the time to talk with me today.
Nancy Donahue: It's my pleasure. Thank you for having me back on the podcast again.
Photo by David Fine
Heintjes: The pleasure's all mine. Nancy, I was reading the RPRF's Take On Payments blog recently—as I always do, I have to admit—and I saw your post about data breaches, and it asked if we should just throw in the towel on preventing them. It's not like you or your colleagues to sound so defeatist about it.
Donahue: Not defeatist, more like realistic. You can't fix a problem without first acknowledging that you have one, and cybersecurity experts have to get things right 100 percent of the time—whereas bad actors only have to be right once. Those aren't very favorable odds. And threats can come in many forms, as we know, from insider risk to external actors—or even company partners or vendors—so it's important to look inward just as it is outward.
Heintjes: So, about that blog post title thing...
Donahue: It was a little bit of hyperbole, for sure. But the real point was: don't think that it won't happen to you. I think about the Scout's motto, "Be Prepared'—which means "be ready, willing, and able to do what's necessary in any situation that comes your way.'
Heintjes: Is it my imagination, or does it seem like the pace of data breaches is increasing? I mean, I'm used to hearing about them, and of course reading about them, but it seems like there's a new headline all the time now.
Donahue: It is not your imagination, Tom. Every day it seems there's a headline about another event, and it's broadly reported that we are on pace for another "worst year ever' when it comes to data breaches. As fast as computer engineers and information security experts can develop new methods to protect our networks and our data, criminals find a way to penetrate it or circumvent them just as quickly.
Heintjes: One of your colleagues recently wrote about that very thing, didn't he?
Donahue: He did. In September, my colleague Doug King blogged that ransomware attacks had increased 105 percent in the first quarter of 2019 compared to the same period in 2018, according to research performed by the insurance firm Beazley.
Heintjes: I remember that post, and we'll link to it on the website with this podcast. Let me ask you about data breaches...do I dare ask about data breaches?
Donahue: Well, as I said, "on pace for worst year ever,' right? According to Risk Based Security's data breach report, just in the first nine months of 2019, there have been almost 5,200 breaches worldwide, with over 8 billion records compromised. The report goes on to state that breaches are up by a third compared to the third quarter of 2018, and the number of records exposed up 112 percent.
Heintjes: Wow. I guess it's a variation on the saying that there are two types of companies: those who have experienced a data breach, and those who will.
Donahue: That's exactly right. That's a good way of putting it: no one is immune. According to Verizon's 2019 Data Breach Investigations Report, which looks at incidents occurring from November 2017 to October 2018: of the nearly 42,000 security incidents that they analyzed, just over 2,000 were confirmed data breaches.
Heintjes: Can you describe those for me?
Donahue: So of those breaches, 16 percent were public sector entities, 15 percent were healthcare organizations, and 10 percent were in the financial industry.
Heintjes: Wow, okay. Well, those were the targeted organizations. Are there data on the actual perpetrators behind them?
Donahue: Sure, absolutely. In terms of who is perpetrating the data breaches, the report further noted that 69 percent were the result of outsiders, 34 percent involved insiders, and then 2 percent involved company partners.
Heintjes: In your post that we've been talking about, you write about being "left of boom' and "right of boom'—which, I confess, are terms I'd never heard of before. Can you describe what you mean by being left or right of boom?
Donahue: Sure. The "boom' is a crisis event—so in the context of our discussion today, a cybersecurity incident or a breach. So "left of boom' is the threat prevention—in other words, what an organization does to prevent a crisis from occurring—and then the "right of boom' is the space that's occupied by the crisis response: what actions does an organization or a business take in response to a cyber event? It's every bit as important to have a well-defined, practiced crisis response plan in place before you need it, just as it is prevention efforts against a cyber event.
Heintjes: Nancy, could you briefly lay out what this sort of plan might look like?
Donahue: Sure. There's a military concept called "commander's intent' that has application here. The commander's intent reflects the priorities of the organization in the event of an incident and is intended to empower employees to exercise what they refer to as "disciplined initiative' and to "accept prudent risk' in order to return to the primary business of the firm as quickly as possible, and in the absence of leadership. Because remember—often when a cyber event occurs, communications are shut down in the organization. So it's about empowering employees, having them know exactly what they need to do, and for them to be able to act. So those principles are two of the six components of the Mission Command philosophy, which has been widely adopted by the private and public sectors as a basis for crisis management planning and response.
Heintjes: So what are some of the components of that?
Donahue: The six components are build cohesive teams through mutual trust; create shared understanding; provide clear commander's intent; exercise disciplined initiative; use mission orders; and accept prudent risk. The commander's intent forms the basis of an organization's comprehensive incident response plan by identifying what those key things are that your organization must execute in order to maintain operations. Using a bank as an example, they might have a commander's intent statement such as, "Process all deposits and electronic transactions in order to ensure funds availability for all customers within established regulatory timeframes.' There are three phases to the commander's intent, and assessment—or testing, if you will—occurs at each phase in order to commit the plan to organizational muscle memory and make it rote.
Heintjes: And those phases can be defined as what?
Donahue: Plan, prepare, and execute.
Heintjes: That makes sense. So what I'm inferring here is that it seems like it's obviously best to try to stay left of boom. That's my takeaway.
Donahue: That would be the ideal, most definitely have a plan and practice the plan. One of the things our listeners may also be interested to know is that the Federal Reserve System's Business Continuity Resource Center
—which is located on frbservices.org—recently posted 10 best practices for businesses to help prevent and respond to emergencies or disruptions. So there's a lot of good information available on that site.
Heintjes: Yes, and we'll have a link to that site with the podcast episode as well. So Nancy, changing tack a little bit here: in terms of data breaches, are there "most common' types? Are there common denominators, or types of breaches that occur most often?
Donahue: Sure. Somewhat obviously, the majority of breaches are financially motivated in some way. In terms of tactics used, Verizon reported that 52 percent of breaches involved hacking; 33 percent included social attacks, which includes phishing; and 28 percent involved malware, which includes ransomware. And then organized crime was behind 39 percent of breaches, and nation-state or state-affiliated actors were associated with 23 percent.
Heintjes: Wow, that's remarkable. What are some other common types?
Donahue: Phishing, which we've probably all heard of, was an element in 32 percent of breaches, and then stolen credentials factored into 29 percent of breaches. So it only takes one erroneous click on a phishing link to open the door, so to speak.
Heintjes: Right. From talking to your colleagues in the Retail Payments Risk Forum, I know there's a lag between a breach occurring and actually discovering the breach, which is obviously problematic. What is the typical time it takes to discover a data breach?
Donahue: The majority of breaches take months, and sometimes years, to discover. According to IBM Security's 2019 Cost of a Data Breach report, the global average time to identify and contain a breach was 279 days, and recovery can also take months if not years. IBM's findings also stated that the breach life cycle, which is the time between when the data breach occurs and when it's fully contained, increased almost 5 percent between their 2018 and 2019 studies.
Heintjes: That's remarkable. Nancy, why does it take so long to notice? Are the perpetrators just really careful not to leave fingerprints? Are they that good?
Donahue: Each breach, and each organization that's affected by one, is unique. There are innumerable reasons why they go undetected for long periods of time. Much of it depends on the type of attack and the methods that were employed. For example, consumers might alert a business when questionable or unfamiliar charges appear on their bank statement or on their credit card statement, and the business's investigation into those charges then uncovers the data breach.
Heintjes: Are there types of businesses that get hit with data breaches more often than others—in other words: large versus small, or anything like that?
Donahue: Any computer that's connected to the internet is a potential target. And as we know from the news, victim demographics are wide and varied—from retail to hospitality, schools and universities, healthcare, financial services, manufacturing, and government. Small businesses have fewer computers, so fewer possible points of entry. But nevertheless, Verizon's report found that 43 percent of breaches involved small businesses, but that was a decrease from 58 percent in 2018.
Heintjes: That's a good decrease.
Donahue: Yes. But it's also worth noting that small businesses may not have the dedicated IT or information security staff, and/or processes—which, again, underscores the need to seek out resources and develop a plan as part of your "left of boom.'
Heintjes: That's a good point. Nancy, I know we can't totally prevent data breaches, or obviously everyone would. But what steps do you recommend businesses take to reduce the exposure to a data breach?
Donahue: One of my other Risk Forum colleagues, Dave Lott, penned a blog in July called "Ransomware Attacks Continue,' and in it he offered several best practices to avoid a data breach. So perhaps we could link to his blog as well.
Heintjes: Sure. Dave's been on the podcast in the past.
Donahue: Yes. But just to summarize some of the recommended practices that he mentioned in his blog: backing up your data daily, and keeping a copy offsite. Avoid using sunsetted operating systems and software. Keep your security patches and software updates current. Train and test employees on information security guidelines. Use strong passwords and change them regularly. And use comprehensive access controls to your network.
Heintjes: You mentioned "employee training and empowerment' earlier. Can you talk about that a bit?
Donahue: Sure. In terms of employee training and empowerment, as part of their annual National Cybersecurity Awareness Month, the Department of Homeland Security offers a toolkit 
for businesses to use to promote cybersecurity awareness and best practices within their organization. That can be found at www.dhs.gov.
Heintjes: I imagine that's a popular product these days. What sort of preventive steps are companies taking that you maybe weren't hearing about, say, five years ago?
Donahue: So it's maybe not a preventative step exactly, but for me I would say cybersecurity insurance. IBM's 2019 Cost of a Data Breach report estimates that the global average cost of a data breach is almost $4 million. Cybersecurity insurance may cover costs incurred as a result of a data breach, such as legal fees and expenses, customer notification costs, customer credit monitoring costs, data and network recovery and repair, and possibly ransom payments.
Heintjes: We've talked a lot today about data breaches as they apply to businesses, but do these concepts also apply to individuals? Are we able to apply things we're talking about now to our own individual data security?
Donahue: I think so, Tom. There are certainly commonalities between businesses and consumers, and certainly small businesses and consumers. The Department of Homeland Security reports that one in three homes with computers are infected with malicious software, so our personal computers are just as vulnerable to malware as our work computers. The principles of cybersecurity apply to our personal lives, just as they do our professional ones.
Heintjes: Right. In terms of preventing a data breach—or I should say, minimizing the risk of one—are the steps people can take different from the steps a business entity might take?
Donahue: Recommended actions and behaviors for consumers to protect our families and personal data online are not all that different from best practices that businesses employ. The Department of Homeland Security has a program called "Be Cyber Smart,' which is designed to help consumers protect their personal information and educate themselves on online safety. It covers a broad range of topics such as multifactor authentication, wifi safety, app security, password protocols, and virus protection. It also touches on how to protect yourself from some common cyber scams, such as phishing, imposters, lotteries. and identity theft.
Heintjes: So to bring this conversation full circle, what I'm taking away is, we should not throw in the towel on trying to prevent data breaches.
Donahue: Absolutely not. That would be defeatist, as we said. I think it's about finding a balance between prevention and breach response. It really is hand in glove. The two must go together if organizations are to be truly prepared and able to quickly recover in order to return to normal business operations. Do all that you can to prevent a breach, and then at all levels of the organization, commit to muscle memory the "right of boom' plan before the boom occurs. And as I said earlier: have a plan, and practice the plan.
Heintjes: Well, Nancy, I guess we can be sure that this problem is not going away, so I hope you'll be back on the podcast to talk about this topic further in the future as things evolve and preventive techniques change.
Donahue: Thank you, Tom. It's been great chatting with you today. And if I could, I'd like to mention the recent release of the results from the Federal Reserve's 2019 triennial payments study. Since 2001, the Atlanta Fed and the Board of Governors have conducted the payments study to understand trends in the payments system, providing national estimates—both for number and value—for check, ACH payments, credit, debit, prepaid cards, cash withdrawals, and new and emerging payment methods such as mobile and person-to-person.
Heintjes: Yes, the payments study is always really fascinating. What are the Risk Forum's plans with the information it includes?
Donahue: Upcoming installments of our weekly Take On Payments blog—
Heintjes: Which we've been discussing.
Donahue: Yes—will highlight some of the key findings from this research, but listeners can view the report in full on the Board of Governor's website at www.federalreserve.gov. We will also have a link to the report on the Risk Forum page on the Atlanta Fed's website at frbatlanta.org/rprf. And on behalf of the Federal Reserve System, I'd like to say "thank you' to the institutions and organizations that participate in the payments study. We recognize participation requires a good deal of commitment to collect, validate and submit accurate data, and your support of the study is greatly appreciated.
Heintjes: Yes, it would be tough, if not impossible, to do it without them. Nancy, thank you so much for being on today. This has been a really fascinating conversation, and I think you gave people a lot to think about—and act upon—today.
Donahue: Thank you again. Happy new year, everyone.
Heintjes: And that brings us to the end of another episode of the Economy Matters podcast. Again, I'm Tom Heintjes, managing editor of the Atlanta Fed's Economy Matters magazine. I want to note that on our website, frbatlanta.org, we'll have a link to Nancy's Retail Payments Risk Forum blog, as well as her blog post that we've been discussing throughout this conversation today. And thanks again for listening—we at the Atlanta Fed wish you a happy new year, and I hope you'll join us next month for a new episode.