In just a matter of a about 3 weeks, the 1st Quarter of 2019 will be over. So far, the financial markets have seemed to have regained most of their losses from late last year, and the controversies surrounding the Trump Administration never seem to stop, so nothing new there.
But on other fronts, especially that of Cybersecurity, there isn’t too much changing either. To be honest, as much as I read the headlines, I have not seen too many in the way of data breaches, which might be good news. Or, it could be the calm before the storm.
But either way, Corporate America is still not equipped to handle a large scale Cyberattack on its IT Infrastructure. This is at least according to a recent study conducted by Experian. It is called “Is Your Company Ready for a Big Data Breach?” More details of the study can be seen at this link:
Overall, it found that only 36% of businesses and corporations are fully equipped to deal with a Cyberattack in case they are ever hit by one. This extremely low level of “optimism” has been brought on by four key attributes, which are as follows:
*The Engagement of the C-Suite:
Ah yes, everybody loves to blame the C-Suite when something goes awry. After all, they are the leaders, and the buck stops with them, right? Well, according to the study, 49% of the respondents feel that their CIO/CISO has no clue as to what is going, and 81% believe that if their CIO/CISO were to be actually engaged into something, all of the response plans that have been created (such as the Incident Response, Disaster Recovery, etc.) would be a lot more effective.
*The Existing Security Processes That Are Already in Place:
An alarming 63% of the respondents have no clue as to what access permissions, rights, and privileges that all non-IT employees have when it comes to accessing confidential and private information/data.
*A Lack of Employee Training:
This is one area that I have harped upon and written about extensively in my blogs last year. Every organization must train their employees about good “Cyber Hygiene”, how to maintain it, and the penalties for not following the Security Policies that have been set forth. 27% of organizations polled in this survey do not even have a formal Security Training program in place; and because of that 47% of them do not even know how to handle a Phishing Attack.
*Having effective Response Plans in place:
An alarming 42% of businesses entities have claimed that they don’t even have an Incident Response IR) or Disaster Recovery (DR) plan in place, and if they do have one in place, 23% of them have not even updated it in recent years. Even worse, if an organization has offices overseas, only 46% of them have an IR or DR plan in place, but they have never been tested.
Because of all of this, the confidence level remains low in Corporate America when it comes to dealing with a Cyberattack. For example:
*Only 36% feel confident that they can successfully over come the effects of a Cyberattack;
*35% of organizations in Corporate America have experienced a Security Breach at least three times just in the last two years;
*Only 36% are actually abiding by the provisions that have been set forth by the General Data Protection Regulation (GDPR) Legislation;
*Only 21% of organizations feel that they can contain the damage if their customer databases were ever hacked into;
*53% of business entities in Corporate America have no clue as to what Cyber Insurance is, and how it can be used to financially protect them.
In another independent survey that was conducted by a Cybersecurity firm known as “4iQ” (this was called the “IDENTITIES IN THE WILD: THE LONG TAIL OF SMALL BREACHES”) it was discovered that:
*There was a staggering 400% increase in the number of Security Breaches in 2018 alone, which exposed almost 15 Billion PII based records;
*Although we keep hearing about Security Breaches that have transpired in Corporate America, the Federal Government has also been a huge victim as well, with a 291% increase in Cyberattacks;
*The United States and China were the homes for 47% for the total number of Security Breaches that occurred in 2018;
*The following are the largest Security Breaches that occurred in 2018 alone:
1) Anti-Public Combo Collections – (Hacked) Sanixer Collection #1-6, 1.8 billion unique email addresses;
2) Aadhaar, India – (Open third-party device) 1.1 billion people affected;
3) Marriott Starwood Hotels – (Hacked) 500 million guests PII;
4) Exactis – (Open device) 340 million people and businesses;
5) HuaZhu Group – (Accidental Exposure) 240 million records;
6) Apollo – (Open device) 150 million app users;
7) Quora – (Hacked) 100 million users;
8) Google+ – (API Glitch) 52.2 million users;
9) Chegg – (Hacked) 40 million accounts;
10) Cathay Pacific Airways (Targeted attack) 9.4 million passengers.
Details on this report can be seen at the link below:
My take on all of this?
Well, these are certainly not numbers to be laughed at. It still shows that even despite all of the headlines that large scale Cyberattacks have received and all of the damage that they have caused, Corporate America is still far behind the times.
From what my contacts who attended the RSA Conference last week, all of the talk has been on how to create newer Security Technologies especially as it relates to Artificial Intelligence and Machine Learning. My point is why even bother exploring the use of these new tools if we cannot come down to basics?
Remember a good, fortified lines of defense does not mean that you have to use the latest and greatest tools. Heck, you can even use of Firewalls and Routers from three years ago, as long as you have continually upgraded with the latest software upgrades.
I find that the first survey puts a lot of blame on the C-Suite. While this is partially true (after all, they are the leaders of their own organizations, and direction comes from the very top of the food chain), it is the mid-level IT Managers that must bear a bigger part of the blame. After all, there is nothing stopping them from creating an employee Security Awareness Training program, or even testing their Response Plans on a regular basis (such as once a quarter).
And, there is no reason whatsoever why these mid-level managers cannot even keep track of the permissions that they assign to the non-IT staff in order to conduct their daily job tasks. I think the fundamental problem here is not the technology itself (after all, in this aspect its just garbage in and garbage out) but is in the complete psychology of the people itself.
It all comes down to this one thing: I have never been a victim of a Cyberattack for this long, so why should I care about protecting the IT Assets of the company that I work for? The chances are that it will never happen to my organization.
Aha, BUT WAIT WHEN YOU ARE HIT WITH A CYBERATTACK!!! THEN YOUR ENTIRE VIEW WILL CHANGE. Unfortunately, at least here in Corporate America, this is what it takes to get people proactive about protecting their IT Assets, Intellectual Property, and Customer related PII.