In April 2018, Verizon released the 11th edition of its Data Breach Investigations Report. As usual, the Verizon DBIR contained interesting data points culled from more than 53,000 incidents and 2,216 confirmed data breaches. It won’t come as a surprise to many to learn that outside agents were responsible for the majority (73%) of cyberattacks in 2017. What may be surprising, though – and is undoubtedly disconcerting – is the assertion that internal actors (i.e., employees and contractors) were behind 28% of data breaches, with financial gain and espionage being key drivers.
More recently, in September 2018, Kaspersky Lab released an unsettling report for company executives already sensibly nervous from the results of the Verizon findings. The report concluded, in part, that “almost one in three (31%) data breaches in the past year have led to people losing their jobs. And, among these, at 29% of [small businesses] and 27% of [large] enterprises, it was senior non-IT employees that were laid off.”
HAVE WE YOUR ATTENTION NOW?
Both the Verizon DBIR and the Kaspersky report deliver a familiar and unflattering litany of how organizations lose data. When cybercriminals attack a system, they can gain access in as little as a few minutes (87%). Companies’ response time – or even recognition of an infiltration – is slow in comparison, with Verizon asserting that 68% of attacks went undetected for months or longer. This passage of time not only gives thieves more opportunities to remove data, but also reflects poorly on executives trying to explain the period from access to discovery.
It appears that many of these attacks are as simple as a phishing email-click by an employee. While people are getting better at recognizing, and not clicking, suspicious messages, Verizon reports that 98% of incidents and 93% of breaches began with phishing or pretexting (which Verizon defines as the creation of a false narrative to obtain information or influence behavior).
The summary from the DBIR – ranging from hacking and malware to gain access, or the 28% of insider roles – is relatively consistent from year to year. After all, would those kind Nigerian princes keep offering us a share of their wealth if we did not continue to help them at least some of the time? Attackers, like most people, choose to use proven methods against relatively under-protected assets. And with a recent report of potentially 50 million Facebook accounts being hacked, the question for some is: What can the small-business (SMB) segment (under 1,000 employees) do against this, given the paucity of resources in comparison with a Facebook or multinational enterprise?
This is where the Verizon and the Kaspersky reports present a grim picture for executives and senior management. It isn’t just the executives and board members of large companies like Target being affected. In North America, Kaspersky reports that 32% of breaches led to a member of the C-suite losing his or her job. And while some would suggest that being the head of IT is a perilous role, nearly 30% of SMBs and 27% of large enterprises fired senior, non-IT personnel. This highlights how protecting data is a team sport that, when done properly, involves a broad range of stakeholders, but if done poorly, will often result in non-IT stakeholders leaving the building.
So what is an executive to do when Kaspersky reports that 42% of businesses had to deal with a data breach last year, and Verizon states that 58% of those fit roughly into the SMB category?
- 72% of organizations consider themselves well or even perfectly equipped for an incident, but this is clearly not the case. Engage external advisors to provide an independent assessment of your readiness.
- Kaspersky reports that 20% of sensitive customer and corporate data resides outside the corporate perimeter. Understand what data you have and where it is, especially as we use mobile devices and cloud services, and rely upon third parties. Test those and ask difficult questions.
- Given the continuing weakness of the human component, emphasize training and ongoing awareness campaigns. How can employee attention to security risk be made more intuitive? Training once a year typically will be ineffective.
- Encrypt if possible. Most state breach-notification laws contain either an exemption for encrypted data or a risk analysis that benefits from securing data at rest and in transit. Further, because of the ease with which user credentials are stolen, seriously consider implementing two-factor authentication as an additional safeguard.