We’ve reached a tipping point in cyber-crime and the bad news is that the bad guys are winning.
The top five hacks since 2011 affected more than 211 million users worldwide. In the US alone, there were 855 corporate data breaches involving 174 million records last year, according to Verizon. It was the second-highest data loss total since Verizon started keeping track in 2004 and they believe 96 percent of attacks were not highly difficult and 97 percent of them could have been avoided.
Government systems have been compromised. Social networks have been compromised. Even a leading security company has had its systems breached.
Besides a PR nightmare and the loss of trust by users, what is the cost? The average cost of a data breach in 2011 was approximately $5.5 million dollars, according to a study by the Ponemon Institute. That should be enough to get the attention of the top executive in every major corporation.
And yet, a recent Forbes headline put it bluntly: “Boards are still clueless about cyber security.” The article cited a survey of senior executives and board members by the Carnegie Mellon CyLab. According to that survey, even in the financial services industry, only 44 percent of boards were actively addressing computer and information security.
But regulators are paying attention – and corporations have been put on notice.
In late 2011, the SEC issued guidelines that require all public companies to disclose security events if they materially affect the company’s products, services, relationships, or competitive condition, or if they would make an investment in the company speculative or risky. Six companies , including Google and Amazon, revealed that the SEC is now requiring them to disclose any cyber attacks as part of mandated quarterly reports (10Q’s) filed with the SEC by public companies.
In light of this, boards and senior executives not properly managing cyber risks can amount to a breach of fiduciary duty or negligence, leaving them open to lawsuits, drops in stock price, market share or serious reputation damage. That's a sobering thought. And yet, the problem persists. But why are corporations lagging behind on cyber security?
There are three key reasons:
1. We think that what we're doing is working. As far as most executives are concerned, no news is good news and every day that goes by without a problem reinforces this perception. If what we're doing is apparently working, why change?
2. They don’t know what they don’t know. Because many corporate executives have no visibility to what is actually happening in their security environments, IT security becomes a lower-level responsibility. They may not even have a Chief Information Security Officer, or CISO, so issues and concerns rarely reach the executive conference room.
3. The C-suite has no way to size up and appreciate the risks because of the two reasons above. Even when executives are made aware of issues, they're often communicated in difficult-to-understand technology terms – not business terms. We hear about this threat or that breach as discrete events – but we're not connecting the dots.
And that's a big deal because it's only when we can connect the dots that patterns begin to emerge. We begin to see the interrelatedness of these seemingly disparate data points. I like to use an old movie analogy from Alfred Hitchcock’s “The Birds”, instead of spotting a random crow here or there, we see them swarming together, like the scary scene from that classic movie. And when we do, we begin to see the magnitude of the threat and where the attacks are coming from.
Now, those aren't the only reasons why corporations are lagging behind in cyber security. There are other factors – for example, the increasing complexity of the typical corporate IT environment. Corporations are no longer the self-contained, walled cities they used to be. Because of things like virtualization, the cloud, software-as-a-service, and outsourcing, it's difficult to understand where one company's infrastructure ends and another's begins.
We need to acknowledge that we have, in fact, reached a tipping point. That means we can no longer, as the old saying goes, continue to do the same things over and over and expect a different outcome.
We also need to open our eyes to the strategic importance of cyber security. If something can cost you millions, destroy your profitability, alienate your loyal customers, ruin your reputation, and leave you open to lawsuits and prosecution, then it certainly deserves attention from the highest levels of your organization.
We need to make a fundamental shift: from tactical, piecemeal security measures to comprehensive, integrated strategies; from plugging holes to managing risk; from a reactive/defensive approach to a proactive/predictive approach to thwart the vast majority of cyber security attacks. As I noted earlier, 96 percent of attacks are not highly difficult and 97 percent of them can been avoided.
That's because the attackers are essentially lazy. They go for the path of least resistance. If you can't provide it to them, they simply move on to an easier target.
Mark Hatton is President and CEO of Core Security, a Boston-based leading provider of predictive security intelligence solutions for enterprises and government organizations.
Meet Boston's coolest, smartest and most dynamic founders in our REEL Innovators video series!