Unfortunately, a data security incident is no longer an eyesore or ear-sore. The number of attacks are increasing and scaling to higher points of sophistication. “It’s a 24-7 onslaught. It’s a barrage of attacks and attempts to penetrate the defenses,” as was stated by Websense director of security research, Jeff Debrosse. The onslaught indeed continues. But sadly, businesses are caught under-prepared or defenseless; but are settling with credit card issuers by paying millions of dollars. While the growing sophistication is a moving menace, companies are also found devoid of understanding of their own vulnerabilities and what to do about them.
In the Verizon 2015 Data Breach Investigations Report, the firm’s enterprise solutions global security vice president Mike Denning highlights about spotting “sizable gaps in how organizations defend themselves.” The report showcases “the real importance of managing data breach risks,” and finds that, contrary to popular belief of organizations always falling prey to high tech malware, intruders continue to rely on traditional techniques.
The report, developed in collaboration with 70 organizations from around the world, covers 79,790 risk events and more than 2000 confirmed incidents. Researchers elaborate on “detection deficit” – terms coined to define the time lapse between a breach discovery and the actual time of its occurrence. Menacingly, defenders could detect only 35% during the same time as attackers take to compromise systems while hackers executed their plans within minutes in 60% percent of breaches.
While malicious software and rogue cloud services continue to impede growth by obstructing business as usual, enterprises continue to overlook insider threat at their own peril. Unscrupulous current or former employees gaining access to critical business information could cripple business continuity. The 2014 Global Economic Crime Survey conducted by PricewaterhouseCoopers reveals that current employees contribute to more than 50% of large scale economic crimes which include cybercrime. On the other hand, cyber threats including lack of data security keeps 49% of the global CEOs concerned.
CEOs keeping concerned, however, have hardly changed the threat landscape as worries have seldom translated to effective actions. Time is now ripe for the C-Suite to get truly active as growing awareness and easy information could lead to disastrous reputational loss. Sympathy for boardroom members and errant companies is becoming increasingly scarce as documented by Websense in its international survey of 102 security executives from 15 countries following the 2015 e-Crime Congress.
A massive majority, 98% to be precise, favored strict legal intervention in consumer data loss cases. Jail term and arrest of CEOs or board members were advocated by 16% of the respondents while fines and compensation for affected consumers were advocated by 65% and 55%, respectively. Seventy percent hold CEOs responsible for data breach while 13% attribute it to CSO – astonishing statistics for the heads of organizations.
An organizations’ vulnerability will increase with the growth of the ‘Internet of Things’ believe a staggering 93%, while companies don’t view data theft as a “high enough priority” believe 45%. More than one third – 35% – of the respondents think institutions view themselves as protected, but the technology in use is not evolved enough to prevent data theft.
Websense information security & strategy officer Neil Thacker rightly points out that information security skills shortage coupled with data explosion could pose serious challenge for many companies. “Implementing a data theft prevention control that provides a data-centric approach to security, alongside building a culture of security accountability across the business through collaboration, is essential to keep data protected.” This sounds like the perfect mission statement for a cybersecurity arm of an organization, but is this a realistic view by the organization as a whole?
On the other hand, Mike Denning of Verizon states, “While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases.”
While the virtues of a mature IT risk management to drive business performance can never be emphasized more, covering the bases include shared responsibility backed by unforced accountability supported by collaboration of a technology partner. Overcoming information security challenges will immensely contribute to sustaining business performance in the volatile economic landscape and integrating technology risk management into business planning will help in putting risk management into practice. Further, an evolved toolkit takes care of streamlining the overall risk management process, goes a long way in earning compliance and allows you time to look after other important facets of your business.