Based directly on IBM / Ponemon research, the following represent the top seven cyber security pitfalls that are opening US businesses up to massive financial liabilities, with the potential for something as serious as an extinction event.
-
INCONSISTENCY
IN ENFORCING SECURITY POLICIES
A security policy is clearly worthless unless it is correctly enforced, and its suitability is regularly checked. However, only 32% of respondents could claim their security policies are reliably applied and regularly audited. On top of this, less than half or 43% enforce them only occasionally, 17% fail to audit their suitability, and 7% have no policies in place.
-
NEGLIGENCE
IN THE APPROACH TO USER SECURITY AWARENESS TRAINING
Despite all the commentary about its importance, only 16% of respondents considered user security awareness training a priority. A massive 71% pay lip service to it by either including security awareness as a one-off event at employee on-boarding or reinforcing it once a year. The remainder, 13%, admitted they do nothing.
-
SHORTSIGHTEDNESS
IN THE APPLICATION OF CYBER SECURITY TECHNOLOGIES
Six of the nine most typical cyber security technologies had been deployed by only a minority of respondents. Web protection, email scanning, and anti-malware had each been rolled out by 50-61%, but the remaining six (including SIEM, firewall rules, and patch management) had been deployed by only 33% at the most (SIEM), or 25% at the lowest (intrusion systems).
-
COMPLACENCY
AROUND VULNERABILITY REPORTING
Only 29% of respondents could call their vulnerability reporting robust, with the majority, 51%, optimistically classifying it as adequate. Surprisingly, as many as 19% have no reporting, and 11% even said they categorically had no plans to investigate its deployment or usefulness.
-
INFLEXIBILITY
IN ADAPTING PROCESSES AND APPROACH AFTER A BREACH
Following a breach (experienced by 71% of respondents), only 44% implemented new technology, and only 41% changed their processes. Meanwhile, 42% started considering new technology, while 14% purposefully did nothing.
-
STAGNATION
IN APPLICATION OF KEY PREVENTION TECHNIQUES
Only a minority of respondents had implemented all of them. The most prevalent technique was full disk encryption on mobile and portable endpoints, but even this was only performed by 43%. Application white listing was implemented by only 38%, and logging of authenticated users’ activity was used by only 41%.
-
LETHARGY
AROUND DETECTION AND RESPONSE
Over the past 12 months, detection times had risen for 40% of respondents; response times were up for 44%; and resolution times had increased for 46%. In contrast, of the 2016 report, detection times had risen for only 28% of respondents; response times were up for 28%; and resolution times had increased for 27%. This shows that the rate of decay (and complacency) is growing
The survey shows that:
- Detection times have grown for 40%
- Response times have grown for 44%
- Resolution times have grown for 46%
So, in hard commercial terms, what does this vulnerability cost a typical SMB or enterprise? Beyond the readily identifiable impacts of a lost customer or downtime leading to lost opportunity, what are the wider implications? In the “2016 Cost of Data Breach Study: Global Analysis,” 1 IBM and Ponemon calculated a standard cost per lost or stolen record of USD $158. This calculation included direct expenses (e.g. engaging forensic experts, outsourcing hotline support, and customer relationship remedial costs such as discounts on products and services) and indirect costs (in-house investigations and internal communications). It also extrapolated typical values of lost customers and the impact of brand damage on future customer acquisition.
SMB | Enterprise | |
Average number of records held | 482 | 5,946 |
Average cost per lost / stolen records (IBM/Ponemon statistics) | $158 | $939,444 |
Average number of breaches suffered in 12 months | 0.32 | 1.05 |
Typical yearly cost of data breaches to a generic SMB/Enterprise | $24,465 | $983,139 |
In closing, cyber security should not be taken lightly. Companies should invest in their IT infrastructure, while setting strict cyber security test dates. Also, user training can go a long way – seeing how “human error” causes majority of cyber breaches. If you have any questions, please feel free to contact us 24/7/365.