It’s part two of our deep look into cybersecurity and this week, we’re looking at the numbers.
Here are the headline facts to get you started:
- Over $1 trillion will be spent on cybersecurity in the next seven years
- 88% of customers surveyed by Forcepoint are concerned about potential attacks on the critical infrastructure their organisation relies on
- 85% or organisations have not fully deployed automation in their cybersecurity processes and 87% don’t have the budgets to provide the levels of cybersecurity they want or need
Why not? Perhaps it’s worth exploring what most companies see as the consequences of a cyberattack:
75% – Business interruption
59% – Damage to the company’s reputation
55% – Data breaches
49% – Data or software damage
41% – Extortion or ransomware
35% – Liability to a third party resulting from a breach
29% – Disruption or interruption of industrial systems or other technology
28% – Loss or theft of intellectual property
Source: Marsh/Microsoft 2018
Cyberattacks – Fact or Fiction?
Before you write in by the thousand, we’re not suggesting for a moment cyberattacks are a figment of a conspiracy theorist’s imagination. Read on to see what we mean.
The issues around consequences have become even more acute in the post-GDPR world. Companies now have 72 hours to ‘fess up to a cyberattack or they become subject to severe EU fines and as the countdown clock starts, the pressures on businesses to come clean are extreme and all-encompassing.
Because consumers now know the value of their personal data, businesses that do come under attack need to be transparent and offer an immediate and proactive response otherwise the fallout can be – and often is – catastrophic.
Richard Horne, cybersecurity partner at PwC puts it quite beautifully; ‘there’s a saying that a lie can travel halfway around the world before the truth has had time to put it’s shoes on’ and this is especially true when it comes to social media.
The misrepresentation of a fact can become a ‘fact’ very quickly and is often picked up by traditional news sources as such. Talking of facts, there is an additional layer of complication in that in the direct aftermath of a data breach, the affected company often has very few of them to work with. The real truth may not come out for weeks or even months and maintaining investor and consumer confidence in that critical period can be a tough ask.
And yet there’s more. Nick Easen writing in the Sunday Times says; ‘at the same time, we live in an era when there’s a toxic cocktail of high breach fatigue among consumers and low public trust in companies that hold our precious data.’
Professor Bill Buchanan, a cybersecurity expert at Edinburgh Napier University talks about the poor handling of attacks, especially from a PR standpoint, that have contributed to this culture of fear.
‘The reporting of incidents has generally been poor and often doesn’t highlight the real scope of a data breach, with incident reports littered with non-definite words such as ‘could have’, ‘might be’ and so on.’ You can see that PR teams will try to soften the blow of a data breach but this doesn’t help the media or the general public understand the scope of an attack, nor does it give them confidence in the business that it won’t happen again.
In a survey conducted by the Ponemon Institute and IBM of 477 companies that experienced a data breach in 2018, the data on the average number of days to identify (ID) and then contain (CO) it is at best mildly concerning…
Malicious or Criminal Attack – 221 days (ID), 81 days (CO)
System Glitch – 177 days (ID), 60 days (CO)
Human Error – 174 days (ID), 57 days (CO)
We’re all at the mercy of technology and while a glitch in the matrix is never a good thing, it happens from time to time. It’s the top one that is of most concern. If your data is breached by a malicious or criminal attack on New Year’s Eve, you wouldn’t know about it until the second week of July and you wouldn’t be able to contain it until around the start of September. Let that sink in for a moment.
Talking about criminal or malicious attacks…
Who’s Knocking At The Door?
Everyone who has any level of access to company data – employees, contractors, third-party businesses etc – should be considered a threat where enterprise security is concerned but it’s the malicious insiders, like disgruntled workers hell bent on taking the company down from the inside, who can do the most damage. And quickly…
From Cybersecurity Insider 2018, the percentage of cybersecurity experts who say the following present a security risk:
Regular employees – 56%
Privileged IT users, system admins – 55%
Contractors/service providers, temps – 42%
Privileged business users/C-Suite execs – 29%
Customers/clients – 22%
And if they are getting in, what do they want?
Again, from Cybersecurity Insider 2018 they’re looking for:
Confidential business info – 57%
Privileged account info – 52%
Sensitive personal info – 49%
Intellectual property – 32%
Employee data – 31%
Ops or infrastructure data – 27%
And if they are getting in and taking what they came for, how much, on average, is it going to cost you in time and money to contain an insider incident (taken from a survey of 3,269 separate incidents from large organisations in 2018 by the Ponemon Institute):
Less than 30 days: Time – 16%, Cost $4.6m
30 – 60 days: Time 23%, Cost $5.6m
61 – 90 days: Time 30%, Cost $9.1m
More than 90 days: Time 31%, Cost $12.1m
What Does This Tell Us?
It’s hardly rocket science. If you hold personal data (and you do), it needs to be safeguarded so it doesn’t fall into the wrong hands.
That’s it. Nothing more.
To talk to us about adopting a robust and scalable yet cost-effective cybersecurity solution so you don’t end up as a statistic in a blog like this next year, email us today on firstname.lastname@example.org or call 020 7078 0789.