Spending on security reached $76.9 billion in 2015 and is predicted to grow to $170 billion by 2020. Will steadily increasing funding solve the cybersecurity challenge once and for all? Based on similarly increasing trends in the number of data breaches, probably not. In this week’s CISO Beat, we look at what CISOs on Twitter are talking about including the astonishing prevalence of data breaches, the rise of ransomware, cyber attacks on hospitals that put lives in the balance, and how to hire a CISO with the right combination of technical and business skills.
— Farhaad Nero (@FarhaadNero) May 18, 2016
Over 70% of organizations suffered from a data breach in the past year. Part of the challenge lies with the increasingly mature economy around cybercrime and cyber espionage. The most highly publicized threats often involve zero-day vulnerabilities or sophisticated malware but many successful day-to-day attacks target the human element of information security.
Ingenious phishing campaigns have proved a potent strategy for stealing anything from login credentials to sensitive information. 41 companies in Q1 fell victim to a simple attack in which hackers impersonated employees and asked for W2 information. In these cases, the answer may be a low-tech response rather than the latest, most expensive software. 23 percent of phishing recipients open emails, and 11 percent actually open file attachments. Phishing education can put employees on the lookout and lower these numbers.
who says phishes aren't effective? https://t.co/0K3kIq2A3X
— Randy Marchany (@randymarchany) May 18, 2016
It’s impossible to discuss trends in threats today without mentioning ransomware – malware that makes data inaccessible unless the victim pays a ransom. Ransomware originally targeted attacks on individuals but today they have pivoted to become a formidable threat to larger companies. Just this past week a Canadian university paid a $20,000 ransom. Ransomware attacks start from such a wide variety of vulnerabilities, from phishing to malvertising, that a company’s best bet is to look at their overall security posture and improve at the basics.
Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices. https://t.co/nc1r8AJut1
— Troels Oerting (@TroelsOerting) May 17, 2016
Ransomware attacks have proven particularly damaging for hospitals and healthcare providers, whose volume of sensitive data can easily outpace their information security budget. A Kansas hospital recently paid a ransom only for hackers to later demand an additional payment. Hospitals have few options once an attack has begun, since patient data is critical to proper treatment. Taking preemptive action to work with security consultants and raise awareness may be cheaper than the alternative of waiting for the inevitable attack. It’s not surprising that high profile industry experts have expressed disgust at profiteering off potentially life-threatening situations.
— Zlata Pavlova (@pavlova_zlata) May 14, 2016
Security breaches cost enterprises an enormous amount of money each year. According to a recent report, the average cost for a breach is a frightful $3.79 million, a 23% increase over the past two years. Lost revenue from reputation is a lingering expense and can even be an existential threat for medium-sized companies in competitive or highly regulated industries. Despite the cost of a breach, experts claim companies still don’t adequately invest in security capabilities that can prevent or mitigate the effects of a breach.
TalkTalk profits halve after cyber-attack https://t.co/ZEtAdLGzwr
— Theresa Payton (@FortaliceLLC) May 15, 2016
If infosec is important companies would invest in fixing it. Companies don't invest in infosec so it must not be important.
— s (@selil) May 16, 2016
Part of the disconnect between the cost of breaches and insufficient budgets may owe to the security department’s failure to advocate for itself. Many CEOs and boards of directors pay lip service to cybersecurity but lack the technical knowledge to know where to invest. They may require additional convincing to increase spending or lead strategic initiatives across the entire company.
Chief information security officers preside over a highly technical department which may not be inherently connected with business leaders. Part of the CISO’s responsibility is to translate technical challenges into business terms that will resonate with the board of directors. Governance, risk, and compliance teams are valuable allies in the mission to communicate information security risk to business leaders.
— Dan Lohrmann (@govcso) May 20, 2016