As I was stuck in rush hour traffic this morning I thought of a joke: "As I was walking along sad and dejected, a voice said 'Cheer up! Things could be worse'. So I cheered up and sure enough things got worse."
If you were dejected by the bad cyber security news last year, cheer up. Things will get worse. (Refer to my previous post "Cyber Attacks: What to Expect in 2020".)
In all seriousness, 2019 was the worst year to date for data security. According to the Ponemon Institute/IBM Cost of a Data Breach Report, the average cost of a data breach increased to almost $4 million. The number of data breaches in the first half of 2019 increased by 54%, with almost 4,000 publicly disclosed breaches. More than 4.1 billion records were exposed.Totals are expected to be higher in 2020.
Two posts on the Cyber Security Intelligence website (https://www.cybersecurityintelligence.com/blog/five-risks-that-will-define-cyber-security-in-2020-4735.html, why-an-effective-security-culture-is-essential-for-your-organization-4746.html) list the top cyber security risks and ways to address them.
- Insider threats: According to Verizon more than a third of all data breaches are caused by insiders. This includes intentional data theft and accidental disclosure. Defenses include employee monitoring and loss prevention software.
- Phishing scams: Hackers are repurposing data from previous breaches to make emails that look authentic and are harder to detect. Personalization and HTPPS encryption will be a normal part of these scams. (Suggestion: treat any email that is unexpected or out of the ordinary as suspicious - especially if it includes a request for fund transfer or an attachment..)
- Exposed databases:Cloud computing presents increased opportunity for hackers to access large amounts of data (a researcher found 1.2 billion records on a single server). Technological advancement cannot come at the expense of data security. Critical data must be password protected with limited access.
- Security professional burnout: An estimated 65% of cyber security professionals consider quitting their jobs, or leaving the profession altogether. Chief information security officers (CISOs) have an average tenure of 18-24 months. High turnover and unfilled positions create lack of continuity and increased opportunity for hackers. Increased automation can reduce stress levels.
- Misalligned priorities: In an Australian survey only 6% of CEOs knew they had experienced a data breach, compared to 63% of CISOs. 44% of CEOs thought their company could respond rapidly to a data breach, but only 26% of CISOs thought so.
Taken together, one of the biggest if not the biggest cyber security threat is indifference. Poor security is largely a people problem that cannot be solved by a technological fix. As one of the blog authors put it, "there's no simple patch for human error". An organization must be committed to cyber security and ongoing education not limited to occasional staff training sessions. Employees must learn the real world consequences of lapses such as weak passwords (hint: if you memorized your password, it's probably not strong enough) and downloading malware. Developing a culture of cyber security must be ongoing until it becomes second nature for everyone.