The past decade has seen an exponential rise in the number of cyber-attacks affecting the IT and connected cyber systems of businesses across industries and geographical boundaries. No one is immune to the threat, and whilst the cost to economies is significant, the cost to individual businesses can be disruptive. Often, the best antidote to technology induced stress is better awareness and appropriate investments. The threat to personal and business data from hackers and dark actors is one such example. Over the last decade, there has been an exponential rise in the number of cyber-attacks. A staggering four billion records were breached in 2019 compared to (what, in retrospect, now seems) a tiny 220 million records in 2009.The average cost of a data breach in 2019 was estimated to be $3.9 million, a figure that was 1.5% up from 2018 and represents a 12% increase over the last five years. Scary as the trend is, the response to it from customers and business users is amazing: Customers say they lose trust in a corporation that experiences cyber threats but are unwilling to severe ties with the corporation. Instead, they would rather change the passwords to their accounts and, at most, become more selective about who they share their financial information with.
To put this behavior in perspective, it is safe to assume that most users have accepted the fact that they live with cybersecurity threats and this “abnormality is the new normal”.
The normalizing of the cyber threat vector to data must end. We must use this as an opportunity to enhance our knowledge, processes, build the right sized technology platforms, and use newly emerging ML/AI tools and techniques to combat cybersecurity threats.
With this proactive approach, we could have prevented or minimized the damage caused by some of the headline-making cyber-attacks in 2019: A team using the notorious “Sodinokibi” ransomware got its hands on 5GB of personal data (dates of birth, social security numbers, card information) from Travelex on December 31. In December last year, Wawa, a convenience store chain on the east coast of the US discovered that it had suffered a massive data breach involving payment information starting in March 2019. In one of the biggest cyber-attacks ever, a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications earlier this year. These are some examples of publicly known cyber-attacks and we do not know the realm of undetected or unreported breaches!
So, where is the problem? If cyber threat is so widely understood and experienced, then why are the incidents not reducing?
The answer lies in the fact that business leaders still treat cybersecurity strategy as another risk management exercise and do not understand that the need is to thoroughly assess the security of their IT estate, get their basic threat detection and response right and continually improve their defenses by deploying predictive, automated, intelligent, self-learning, and real-time threat prevention technologies. One survey in 2018 found that only 63% of CEOs were concerned about cyber threats that have adversely affected their organizations growth predictions. That’s a shocking statistic on cybersecurity strategy and should explain how deep the problem is.
Of course, most organizations are helpless because of a scarcity of skills. The good news is that despite the low skill-level, cybersecurity spends are forecasted to grow dramatically. Gartner forecasts that the global information security market will grow at a five-year CAGR of 8.5% to reach $170.4 billion in 2022. The challenge is to ensure that the spending is toward the future of cybersecurity. Many organizations won’t (blame it on a dearth of knowledge) and several others will continue using yesterday’s cybersecurity solutions to fight tomorrow’s cyber wars. The bad guys know this. It’s only a matter of time before their exploits make the headlines.
Organizations could turn the tide by becoming sufficiently informed, proactive by creating a culture of secured organizational crown jewels. The responsibility for cybersecurity cannot be placed only on the hands of the IT organization. Individuals should also shoulder the responsibility. Major changes in online behavior and the processing/management of personal data are necessary along with an understanding of the limits of current cybersecurity solutions. Users must know when and how to change privacy settings and read the terms and conditions used by organizations in the management of personal data before accepting them. In general, the culture of data security must be strengthened.
The average knowledge about cyber-attack prevention is deficient. Yes, cybercriminals are getting better all the time. But if we become proactive in our approach instead of reactive, they can be pushed back continually and hopefully sit mostly on the drawing board!
Wishing all readers, a happy and secure decade ahead!