Cybersecurity is entering mainstream consciousness more and more. Every attack that passes raises the question, a little bit closer to home - will I be next?
A recent study conducted by Sophos and Vanson Bourne of 3,100 IT managers globally had some surprising results.
68% of organizations surveyed fell victim to a cyberattack in the last year. That means that these organizations were unable to prevent attackers from entering their network and/or endpoints. Additionally, those organizations that were victim of at least one cyberattack suffered an average of two attacks within the one-year period.
The organizations reported that threats were in their systems for an average of 13 hours before being detected. The report is quick to point out that the 13 hour number represents the minimum amount of time a threat was within the organizations' systems.
Additionally, the 2018 Verizon Data Breach Investigations Report states that (coincidentally) 68% of cyberattacks take "months or longer" to discover. The disparity between the two statistics is probably accounted for by the difference in capabilities - companies who are breached are not in the business of cybersecurity, their teams do the best they can with the tools they have, but they are underequipped and unable to analyze and respond to threat horizons with the precision of cybersecurity providers.
These reports highlight the need to have a strong cybersecurity plan in place, not only technical measures but operational ones too.
Over a quarter of attacks come from inside threats, with about 17% of all breaches resulting from employee error and 4% coming from clicks on phishing campaigns.
Insider threats can be somewhat addressed through technical measures, but having clear policies in place regarding data operations, regular auditing of compliance measures, and consistent employee training.
A well equipped, well prepared team can mean the difference between prevention, neutralization, and recovery, and a staggering blow to productivity and consumer trust.
Alphabet owned company, Chronicle, just announced a new product offering - Backstory.
The small Google affiliate promises affordable pricing based on the number of employees that a company has rather than the amount of data used. Depending on what those figures end up being - it could have a big impact on the state of cybersecurity regulation.
The FTC is the de facto enforcer of cybersecurity standards among businesses, and they have moving goalposts regarding the adequacy of a company's cybersecurity practices:
"From the outset, the FTC has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses. For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors. Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data."
Taken with the possibility of affordable cybersecurity solutions based on company size, smaller ventures no longer have the reasonableness standard to hide behind when they engage in poor cybersecurity hygiene. Even though the standard remains the same, this means "more" regulation.
Even if the potential lower costs means adding an extra expense, it's really a big win for consumers and businesses alike. Consumers can feel more confident in sharing their data with businesses (which is often part of a company's business model), and companies can rest easier knowing that they no longer have to be the ones who let customer data leak for lack of trying.