[BreachExchange] The Next Cyber Breach Could Be Closer Than You Think

Destry Winant destry at riskbasedsecurity.com
Wed Apr 15 10:18:15 EDT 2020


Complacency remains one of the greatest threats to cybersecurity. And
while new regulations like GDPR or those from the New York Department
of Financial Services (NYDFS) serve as occasional wake-up calls,
organizations and business owners appear to keep hitting snooze. This
complacency flies in the face of increasing cybersecurity incidents
and vulnerabilities, as well as increasing costs and fines associated
with those incidents. According to a Hiscox cyber readiness report
(download required) published in 2019, 61% of firms surveyed reported
an attack in the last year, a significant increase from the 45%
reported in the previous year. Meanwhile, IBM and the Ponemon
Institute (via CSO) found that the average cost of a data breach is
nearly $4 million.

What will it take to wake organizations up? As the CEO of a company
that provides third-party cyber risk management solutions, I've
learned that complacency is often the result of confidence or boredom
— call it "it won't happen to me" syndrome. Well, in all likelihood,
it will happen to you. Here are just a few reasons that the next cyber
breach could be a lot closer to you than you think and what to do
about it.

Cybercrime Remains Prevalent

Not only is the rate of cyber incidents increasing, but so is the
frequency. A Risk Based Security report (via TechRepublic) found that
there was a 50% or greater increase in data breaches between 2015 and
2019, with 27% of organizations Hiscox surveyed experiencing four or
more attacks in the year prior. And no industry is spared. From
financial services to health care agencies to government
organizations, hackers and cybercriminals do not discriminate. It also
doesn't matter what size your organization is; all businesses are at
risk. In fact, 2019 Accenture research (via CNBC) found that 43% of
all attacks targeted small businesses. And while research like NTT
Security's suggests that many traditional attack methods like
ransomware, phishing and insider threats remain strong, new trends
like supply chain attacks are emerging and creating a very lucrative
business for criminals. Information Age reported on a 2018 Bromium
study showing that cybercrime generated $1.5 trillion in profits —
roughly equal to the GDP of Russia. Staying on top of cybercrime
trends and attack methods is crucial to your organization's
cybersecurity because with that earning potential, it's hard to
imagine opportunistic hackers and cybercriminals will let up anytime
soon. Working closely with your chief information security officer
(CISO), reading industry publications and following cybersecurity news
sources can help you ensure you remain aware of those trends. And
knowing your own vulnerabilities can help you ensure those trends
don't put your organization in the spotlight.

Third-Party Relationships Can Create Vulnerabilities

In addition to the increase in the frequency of attacks, our growing
reliance on third parties and partners can bring outside breaches a
lot closer to home. Many organizations rely on a variety of third
parties and partners to conduct business. From payroll providers to
law firms and IT suppliers, third parties conduct and support critical
business functions that often require access to your organization's
data and networks. And the minute they have that access, their
security vulnerabilities can become yours. This expands your attack
surface from your own perimeter to the perimeter of your third
parties. Yet while cybersecurity is a given and growing priority at
most organizations today, third-party cybersecurity remains a second
priority for some. A 2019 study by the Ponemon Institute that my
company sponsored, "The Cost of Third-Party Cybersecurity Risk
Management," found that 53% of organizations surveyed experienced a
third-party breach in just the last two years, and the breaches cost
an average of $7.5 million. If you want to avoid the costly impact of
third-party breaches suffered in just the last two years, it's time to
take a good look at your third-party cyber risk management program. A
good way to determine whether your third-party risk management program
is working is by asking whether it has led you to reconsider or even
end a relationship with a vendor. Ultimately, your program should help
you make confident decisions about which vendors you should continue
working with and which ones you should part ways with.

Digital Transformation Introduces New Risks

Finally, as our businesses continue to evolve and adapt to ongoing
digital trends, the opportunity to introduce cybersecurity incidents
only increases. For instance, digital transformation accelerated our
adoption of third-party solutions like SaaS and cloud providers, as
well as IoT devices. I covered the risks third parties can create in a
previous article, but IoT devices can also open up several new attack
avenues to your employees and your organization. In fact, one F-Secure
report (via Forbes) claimed that cyberattacks on IOT devices increased
by 300% in 2019 alone. These attacks are likely the result of both
rapid production and adoption of digital solutions and projects to
overcome obstacles and increase speed to market. As businesses jump on
this trend, they often put CISOs and security teams in the crosshairs
as they weigh business benefits over security risks. Involve security
teams in the selection and adoption of new technologies and vendors:
This is a great way to reduce the risk these technologies and vendors
can create and protect your business.

It's easy to think "that won't happen to me," or worse, that breaches
are an inevitable cost of doing business these days. But in most
cases, they can be avoided, or at the very least be mitigated, if they
do occur. It simply requires waking up from complacency and paying
more attention to your evolving surroundings.

More information about the BreachExchange mailing list