Our global economies, industries, and competitive markets require that we become progressively more interconnected to one another. On both a personal and commercial level, we are creating deep levels of connectivity between multiple communities and devices via laptops, televisions, thermostats, security systems, appliances, mobile and music devices, commercial equipment, building management systems and the list goes on. This myriad of connected devices is known as the Internet of Things (IoT).
The economic and, in many cases, security benefits of being connected to the Internet and the interconnectivity of systems, customers, employees, trading partners, and equipment are strong drivers of doing business today and remaining competitive. In the words of John Chambers, former CEO of Cisco, “…picture living in a world where everything is connected, and the possibilities that creates is limitless. The industry is on the precipice of an explosion of IoT-related products and services coming to market.” The advantages of being connected to the Internet also come with risks that must be managed to insure that the economic and social advantages are not turned into a disadvantage or potentially a disaster.
The increasing interconnectivity of personal, infrastructure, and business systems, and a growing and progressively more open market for stolen data are only a few of the reasons that the landscape of cyber risk and the number of companies and individuals that are vulnerable to attack is growing at an exponential pace. Cybersecurity is big business. For example, only a few years ago the concept and perceived risk of a ransom attack was quite rare and remote; however, according to the Cisco 2017 Annual Cybersecurity Report, ransomware is growing at a yearly rate of 350%. Our interconnectedness establishes a sort of cyber supply chain that links our corporate, home, mobile and interconnected devices with the myriad of others to which we are connected. Just consider for a moment how many individual, corporate, social, shopping, and Internet connections you have on your own. Are you connected to your thermostat, lighting system, security system, garage door, refrigerator? Now imagine how many systems are connected in a business, mall, sporting facility or hospital.
Evidence shows us that organisations such as banks, government agencies, healthcare institutions and large corporations that maintain highly valuable data are more likely to be attacked more frequently than most. The reality is that no industry, location, organisation or individual is safe. As Chamber’s puts it, “there are two types of companies: those who have been hacked and those that don’t yet know they have been hacked.” While we cannot confirm or deny this assertion, we know with certainty that hacking and data breaches are increasing in frequency and impact. This trend spans industries and company size, and now, even organisations thought to be at low risk for a data breach are finding themselves victims of ransomware or phishing campaigns. Attacks are being carried out on a substantial scale by a myriad of actors such as hacktivists, organized crime, nation states and hobbyists. Some recent attacks of note include the ransomware “Wannacry” of 12 May 2017. Delivered via a phishing email, this attack spread throughout the world within hours, executed by inattentive users and causing damage to insufficiently patched systems. The Petya ransomware attack on 27 June 2017 was another large attack that crippled firms, airports, banks, and government departments worldwide. The reasons to attack are as widely varied as the number of perpetrators and sometimes the motivation is simply “just because we can.” There are also deliberate attacks mounted by sophisticated organisations that are designed to find ways into an organisation.
Given the economic impact and potential consequences of cyber-attacks, the lack of attention to and investment in cybersecurity is an area that deserves considerable attention. According to Ponemon Institute, the average cost of a data breach is $3.62 million USD, which equates to an average of $141 USD per lost or stolen record.1 These are merely the direct costs (i.e., lawyers, notifications, consultants, etc.) and do not reflect the lack of consumer confidence that would arise. When large, publicly traded organisations are breached, their stock price will likely be impacted, but they frequently have the resources to recover. A small or mid-size organisation may not be so lucky.
Nexia International conducted a global survey to assess the current state of cyber preparedness. A core goal of the survey is to provide insight on how organisations view cyber risk and what they are doing about it, and how organisations are providing executive management with the data they need to avoid or at least mitigate a security event.
Our analysis of survey responses indicates that there is still considerable education and investment required to reduce the level of cyber risk and improve organisational preparedness and responsiveness across most industries and geographies. There also appears to be a significant need for many organisations to improve their overall understanding of the cybersecurity risk landscape.
This report summarises our key observations:
- Only 39% of respondents consider cybersecurity a top concern.
- 46% of respondents across the Americas and 50% of the respondents in EMEA do not have a formal cybersecurity program. 76% of APAC respondents indicated that they have a formal cybersecurity program.
- 50% of respondents indicated that hacktivists, organized crime, and employees – both current and former – are the sources of greatest cyber risk.
- 20% of respondents have not conducted a cybersecurity assessment, and only 25% of respondents provide cybersecurity training to employees at least annually.
- 20% of respondents who are required to have a cybersecurity program based on governmental, industry or customer requirements do not currently have a cybersecurity program.
- Limited time and budget along with a lack of qualified staff were the key reasons cited for not having an effective cybersecurity program.
- More organisations that have a cybersecurity program reported experiencing a breach than those who do not have a formal cybersecurity program. However, it is the organisations that have a cybersecurity program that are more likely to identify a breach. We are unable to report on the number of breaches that go undetected.
- The majority of the respondents indicated underinvestment in advanced cybersecurity initiatives such as a robust security incident response plan to identify, detect, and handle security incidents including data breaches.
The above, taken with the rest of the survey data and responses, highlights an overall lack of intensity and awareness of the need for a comprehensive cybersecurity program. And if the rising cyber threats and increasing fines are not enough for companies to rethink their cyber programs, there are ample new regulations that may provide the needed impetus.
Perhaps the most stringent and prescriptive of these regulations is the EU’s General Data Protection Regulation (GDPR), which goes into effect in May of 2018. This rule imposes very specific criteria for organisations holding EU citizens’ personal data. Such requirements include appointing a data protection officer, encrypting data, adhering to stringent privacy standards, and much more. Fines in the event of a breach and demonstrated lack of compliance could result in €20 million or 4% of corporate revenues from the prior year, whichever is higher.
The United States has seen a resurgence of cyber requirements. Since 2014, the Securities and Exchange Commission has been stating that cybersecurity is one of its top concerns and has performed various “sweeps” across the financial market. Similarly, the Department of Health and Human Services has performed site visits of healthcare organisations to assess their compliance with data protection standards and increased investigations into whether organisations are compliant.
If there is any silver lining in all of this, most security experts would say that it all comes down to some basic controls and that most breaches are preventable. We know from our experience as well as reading numerous breach reports that weak passwords, poor patch and vulnerability management, and a lack of user awareness account for a vast amount of the security incidents in the news. And, regardless of whatever sophisticated tools are used by companies to prevent and detect hacking, knowledgeable security professionals with proper training and governance are still required.
Our hope is that this report will help organisations determine for themselves where they stand in relation to others and motivate them to implement cybersecurity programs that will keep the hackers at bay and their intellectual assets safe.
As cybersecurity attacks keep increasing in number and have varied levels of negative impact on a large number of organisations globally, it is critical that organisations of all sizes and across all industries acknowledge the ever-changing cybersecurity landscape and the different threats, and be proactive in addressing the concerns. Based on the survey responses, it seems that there are significant opportunities for improvement in the areas of cyber assessment frequency, awareness of threats, and investments. Progress is certainly being made, but organisations have a long way to go in terms of having a strong cyber program in place that can provide robust and repeatable measures to guard against cyber-attacks.
