Security Breach – Is Your Company at Risk

MAR 11, 2019

Ponemon Institute’s 2018 Cost of a Data Breach report puts the cost of the average data breach to US companies at about $7.91 million (U.S. dollars).   Looking ahead, cybercriminals will steal an estimated 33 billion records in 2023, up from 12 billion records in 2018, according to a 2018 study from Juniper Research.

As consumers, we are all aware of the harsh realities of data breaches.  And thanks to well-known breaches – from Target’s 41 million stolen customer records in 2013 to Equifax’s whopper of 150 million records in 2017, cyber data breaches, ransomware attacks, crypto-jacking and threats to our connected devices are threats we can’t ignore.

No industry is immune.  Healthcare, technology, retail and financial companies top the list.  Certainly, organizations with significant records are often big targets.  But what makes a company or industry more vulnerable?  What are they missing?  What can they improve?

Lack of Standardization

Lacking standardized cybersecurity processes impacts an organization’s ability to efficiently gain visibility and combat threats.  A mix of old and new systems also makes it more difficult to respond to a breach in progress. System administrators must often investigate individual applications and servers for hours to discover how the unauthorized entry occurred, which records were compromised, and how to terminate the unauthorized presence.

Failure to Use Well-Known Security Best Practices

Many companies are undone by the most basic security practices.  Fundamentals such as network visibility, vulnerability management, configuration management, administrative privileges, and log management are all too easily ignored leaving companies extremely vulnerable to cyber security breaches.

Lack of Qualified IT

A booming economy is good news for US businesses.  Financial Times recently reported that demand for cyber security experts across the globe is forecast to outstrip supply by a third by 2020.  But these same companies are struggling to find qualified people to fill vacant information technology and cyber security positions, largely due to a shortage of certified professionals (CCSP).  U.S. employers in the private and public sectors posted an estimated 313,735 job openings for cybersecurity workers between September 2017 and August 2018. That’s in addition to the 715,000-plus cybersecurity workers currently employed around the country.  However, only about 85,000 of professionals are CSSP certified.

Lack of Internal Controls and Routine Security Audits

Internal control procedures document transactions by creating an audit trail. They limit the actions of employees by requiring authorization, approval, and verification of selected transactions.  Without proper accountability, companies will be unable to validate who has access to what.

Security audits should be part of every organization whether conducted by internal security audit teams or external audits supporting formal bookkeeping.  The frequency of an audit (from once a quarter to once a week) depends highly on the organization’s type of business.  These audit trails capture all aspects of the administration of access rights beginning with access requests and ultimately to changes in account details.

Lack of Employee Education

While the IT department can implement industry-leading email security solutions, they cannot be responsible for every employee each time he or she feels tempted to click an embedded link that managed to get through. According to the Verizon 2018 Data Breach Investigations Report, user error was a factor in 17% of breaches last year and continues to be a weak link that led to many of the compromises. Employees can represent a significant risk and liability when you consider “phishing” will get hackers inside corporate gates 90% of the time, according to Verizon.  Without creating awareness and providing deeper understanding of best practices through cyber literacy, any threat mitigation tool or firewall is rendered useless.

Trace3 provides a deep portfolio of Security services offerings designed to help your organization implement effective programs and technical controls to grow faster, minimize costs, and operate your business efficiently and securely.  Learn more:

Leave a Reply

Your email address will not be published. Required fields are marked *