The Year of the Cyber Defender
The digital threat landscape is shifting rapidly. Organizations large and small face a growing array of cyber threats from more sophisticated, motivated, and persistent attackers, including those backed by nation states and organized crime.
These disciplined and structured groups continue developing new tools and techniques for inflicting widespread, costly damage. Per the 2017 Data Breach Investigations Report issued by Verizon, there were more than 700 security incidents and above 100 confirmed data disclosures within the technology industry including software publishers, telecommunication carriers, cloud providers, and social media sites. Because of the insecure internet-facing web servers, most of the data compromised were sensitive data including user credentials and personally identifiable information.
In 3Q 2017, PayPal closed its acquisition of bill payments processor TIO Networks for $238 million. But only 2 months later, PayPal suspended the subsidiary’s operations because of a data breach. TIO reported late last year that a review of the company’s network identified a potential compromise of personally identifiable information, including financial, for approximately 1.6 million customers. An ongoing investigation has yet to uncover the breadth of information compromised, and the high costs associated with suspension of operations.
Based on the research performed by the Ponemon Institute, the pre-eminent research center dedicated to privacy, data protection and information security policy, it takes companies an average of 40 days to resolve a cyber-attack with a total estimated cost of $1 million. However, some attacks may remain undetected. Besides legal penalties, organizations can be forced to pay regulatory fines from the Federal Communications Commission, Federal Trade Commission, the Payment Card Industry Data Security Standard, and other regulatory agencies, as well as other organizations who are in contract with that company.
Technology companies are not immune. In 2017, River City Media, a huge email marketing organization reported a theft of 1.34 billion records. Fortune reported that River City Media failed to safeguard backups of its database of a billion email accounts, resulting in all that user information being available for anyone to see.
Another painful technology company breach in 2017 was Zomato. The international restaurant app experienced an account access breach that exposed 17 million records, according to Engadget. The hacker infiltrated the Zomato system and stole 17-million user IDs, usernames, email addresses and hashed passwords.
High impact breaches like River City Media and Zomato are wake-up calls not only for the tech sector, but for all sectors. Cybercrime damages will cost the world $6 trillion annually by 2021, up from $2 trillion in 2015, according to CSO online. The good news is that if 2017 was the year of the hacker, then 2018 is shaping up to be the year of the defender. Why? Because companies increasingly are starting to view cybersecurity issues as not just an IT problem—but rather a C-suite problem.
“Cybersecurity is finally becoming top of mind in the C-suite and the boardroom as executives realize that security breaches are not merely a cost of doing business— but rather an existential threat to their companies and careers,” said Shahryar Shaghaghi, principal and national leader of cybersecurity at CohnReznick.
He notes that companies are starting to make meaningful improvements in their cyber defense efforts but have a long way to go. For example, organizations took an average of 191 days to identify a breach in 2017, down from 201 days in 2016. What’s more, containing a data breach took 66 days, compared to 70 days, per the Ponemon Institute’s 2017 Cost of Data Breach Study.
But despite increasing focus on defense from the boardroom on down, the reality is that attacks will continue to come fast and furious. “An adversary in pretty much any situation is going to find their way if they are persistent enough,” said Hank Thomas, CEO and founder of Strategic Cyber Ventures, a venture capital firm focused on the cybersecurity market. “The trick is to be able to quickly identify when you’ve been breached so you can react and remediate faster than ever.”
That’s why Thomas is avoiding security startups that are building a higher wall or a deeper moat—or even putting an alligator in the moat. Rather, he is investing in technologies that hunt, deceive, divert and eject an adversary from a network. “First and foremost, organizations need an early warning of where attackers might be on their network so they can quickly do something about it,” he said. “That’s how we improve our chances.”
What Should You be Doing?
The most important first step to be a good defender is to start developing your cybersecurity strategy, which will outline how to best protect your “crown jewel,” your critical digital assets and infrastructure. Components of cybersecurity strategy includes a comprehensive cyber risk assessment of your organization to identify the highest areas of risks and vulnerabilities based on several characteristics including your operating model, products/ services, third party relationships, and culture aligned with one of industry standards such as NIST (National Institute of Standards and Technology). The result of this assessment will help you define strategy and develop supporting implementation plans to mitigate those risks based on priorities. During this process, you will determine how much risk you are willing to accept (based on various thresholds and impacts, and your risk appetite), what is your mitigation strategy, the level of financial investments, and other cyber risk transfer options, including managed security service providers and cyber insurance policies.
Up until now, the cyber war has not been a fair fight. The hackers have had the upper hand all along. But, in the year of the defender, the battlefield will tilt in favor of the good guys.
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.