Escalating cyber-attacks on corporations, infrastructure, and organizations have created an environment of uncertainty and, in some cases, panic over the implications of data breaches. Despite the trends of greater frequency, sophistication, efficacy and liabilities associated with incursions, the industry has been mostly unprepared and slow to act.
Tools for hackers have become more readily available, and cyber-criminal gangs are becoming more pervasive and skillful. At the same time, nation-state actors and terrorists are also a becoming a more powerful part of the cyber-threat landscape. The bottom line is that in the wake of these developments, the mindset behind corporate cybersecurity needs to change from passivity to preparedness.
A 2015 survey from the Ponemon Institute and Fidelis Cybersecurity highlights troubling data about the state of cybersecurity among corporate C-Suite leadership. In their governance survey, they found that 76 percent of people surveyed indicated that their boards review or approve security strategies and incident response plans. However, only 41 percent of board members claim to have expertise in cybersecurity, while another 26 percent reported that they have minimal or no knowledge of cybersecurity.
The most recent large-scale cyber-attacks may result in a wake-up call that makes boards rethink the need for security expertise. On October 21, hackers attacked Domain Name Service (DNS) provider Dyn, causing disruption to major components of the internet’s infrastructure, and temporarily bringing down hundreds of websites, including Twitter, Reddit, PayPal, and Amazon Web Services. The breach was the result of a Distributed Denial of Service (DDoS) attack. A typical DDoS attack sends millions of bytes of traffic to a single server to cause the system to shut down. The Dyn DDoS reached upwards of 1.2 terabytes (1,099,511,627,776 bytes) of data every second, introducing an entirely new scale of attack. Perhaps the most interesting (and frightening) aspect of the Dyn attack was that it leveraged Internet of Things devices. Dyn determined that at least some of the attacks were launched by common devices like digital routers, webcams and video recorders infected with malware.
In our evolving digital world, anything and everything is likely to be connected. The rapid proliferation of Internet of Things (IoT) devices (Cisco predicts 50 billion devices by 2020) implies that future DDoS attacks will likely become much more prevalent and disruptive. A report from application delivery firm Incapsula found that an unmitigated direct denial of service attack costs a company an average of $40,000 an hour. But it is not just DDoS threats that are cause for concern – malware, phishing, ransomware, and malicious actions from insider threats have gone rampant, and companies are often easy targets, offering low-hanging fruit for hackers.
Currently, ransomware, which is spread mostly via phishing activities, is the top threat to companies in both the public and private sectors. Ransomware allows hackers to hold computers and even entire networks hostage until electronic cash payments are received. Ransomware is not a new threat (it has been around for at least 15 years) but it has become a trending one. Last year, the FBI reported more than 2,500 incidents of ransomware cyber-attacks.
Indeed, breaches in all industries are on the rise from a variety of types of digital incursions. This is evidenced by the spate of high-profile breaches over the past few years – Target, Home Depot, Anthem, the OPM and many others. In fact, it is estimated that more than 40% of all corporations suffered a breach during the past year. According to the latest data breach count from the Identity Theft Resource Center (ITRC), there have been 809 data breaches recorded this year through October 25, 2016, and nearly 30 million records have been exposed since the beginning of the year. ITRC analysis also includes more alarming numbers that make corporate board’s lack of cybersecurity expertise a concern:
- The medical/health care sector leads all sectors in the number of records compromised to date in 2016. The sector has posted 36.2% (293) of all data breaches this year. The number of records exposed in these breaches exceeds 14 million, or about 48.4% of the total so far.
- The government/military sector has suffered 56 data breaches this year, representing about 41.3% of the total number of records exposed and 6.9% of the incidents. More than 12 million records have been compromised in the government/military sector to date.
- The business sector accounts for more than 2.5 million exposed records in 354 incidents. That represents 43.8% of the incidents and 8.5% of the exposed records.
- The number of banking/credit/financial breaches totals 34 for the year to date and involves more than 26,000 records, some 4.2% of the total number of breaches. and about 0.1% of the records exposed.
- The educational sector has seen 72 data breaches in 2016. The sector accounts for 8.9% of all breaches
A new 2016 Bankrate report found that 41 million adults in the United States have had their identities compromised, and a Security Scorecard’s 2016 Healthcare Industry Cybersecurity Report[KB6] states that over 75% of the health care industry has been infected with malware over last year. It should be noted that these compiled statistics are based on reported breaches. Many companies, especially those where their stock price may be affected, are often reluctant to disclose information about breaches publically.
A succinct summation that explains the reasons for internet vulnerability and the cybersecurity challenges was provided by Joel Brenner, the former counsel to the National Security Agency: “The Internet was not built for security, yet we have made it the backbone of virtually all private-sector and government operations, as well as communications. Pervasive connectivity has brought dramatic gains in productivity and pleasure but has created equally dramatic vulnerabilities. Huge heists of personal information are common, and cyber-theft of intellectual property and infrastructure penetrations continue at a frightening pace.”
There are significant financial consequences to heists of personal data and to heists of industry intellectual property. Cybersecurity breaches can impact operations of a company, shareholder value, and diminish brand reputation. In the past, companies found difficulty quantifying the return on investment for cybersecurity spending, but more and more financial data is being made available and is also creating a matrix and case for cybersecurity insurance. The lack of board room understanding of cybersecurity is concerning.
Security breaches can and will happen, but there are guiding pathways for cybersecurity, and a company’s vulnerabilities can be lessened, and mitigated. This can be done via gap analysis and comprehensive planning to better understand the how, why and where of cyber vulnerabilities.
Plans that are most successful often involve the leadership at the top of companies and organizations, commonly referred to as the C-Suite. To carry out plans that rectify potential cybersecurity damages waiting to happen, it is paramount that the C-suite bring cybersecurity expertise to their Boards of Directors and Advisory Boards.
A successful C-Suite cyber threat strategy must incorporate activities to assess situational awareness, future risk, information sharing, and especially resilience planning. It is imperative for companies to create contingency plans for business continuity, disaster recovery, and incident response plans. It is also important that they create cultures of employee and stakeholder awareness so there is a basic understanding of cyber hygiene and the myriad of digital threats.
However, without C-Suite subject matter expertise on security policies, best practices, regulations, liability, technologies, and the many other issues associated with cybersecurity, companies will remain largely unprepared. In view of the recent trends of cyber-attacks, the imperative of bringing the best and brightest cybersecurity expertise to board-level roles needs to become a higher priority.