Data breaches: are warnings going unheeded or are companies struggling to implement effective cyber defences?
Back in 2015, we wrote a blog on a PwC survey that found that 90 percent of large organisations reported a security breach during the previous year and that the average cost of a breach could be as high as £3.14m. We also highlighted some of the key business IT disasters businesses should be prepared for.
In the fast-paced IT environment where so much seems to change quickly, particularly so in the past year of pandemic chaos, what has changed in the past six years or so and have we learnt any lessons?
Cost of a breach
The PwC report from 2015 suggested that the average cost of a breach from the previous year could be as high as £3.14m. The IBM Cost of a Data Breach report that came out in 2020, shows that the cost of a breach is rising all of the time. The average cost is now a staggering $3.86m, but could be as high as $8.64m (in the US).
The cost of a data breach is continually growing. Some of this cost can be made up, but damage to reputation is almost incalculable and will take years to recover to return to the same level.
Mainstream media is now also much more aware of data breaches, and where in 2014 a breach might make the middle of the paper, it is now very often front-page news, exacerbating the reputational damage. Customers are also much more aware of the value of their own data and the potential consequences if a bad player gets their hands on it. High profile regulation such as GDPR has done much to increase this awareness and therefore, customers are much more informed than they once were.
The main threats
What are the types of threats that are getting criminals access to the data?
Previously we identified four common ‘IT disasters’ that companies should be preparing themselves for.
- Careless employees
- Phishing scams
- Data loss
- Hardware failure
After six years of high-profile hacks, have the security threats to businesses changed or are criminals using the same routes to gain access to valuable data and infrastructure?
In 2020 Forbes produced a list of the key data security risks every business should address. Within these 14 points, were included:
- Insider Threats
- Social Engineering Vulnerabilities
- Data Loss
- Misconfigured Cloud Servers
According to Forbes, the threats remain more or less the same, with employees, phishing, data loss and server failures/misconfiguration all still the main threats to enterprise businesses. The methods and routes that criminals are taking have remained largely unchanged and yet the cost of a breach has increased significantly. There is obviously a mismatch here.
Why are companies not closing the gaps?
Undoubtedly, the landscape of cybercrime has got more complicated over the years. Criminals are using more sophisticated methods to gain access to systems and on the whole companies have been unable to keep up. However, some companies are seemingly unable to implement even some basic tasks that can make a big difference to security levels.
In our last blog, we discussed how many companies are not installing patches and updates that can close vulnerabilities to known threats. Some have not patched for years leaving themselves wide open to attack. The last year has also added new complications to the cybersecurity landscape with workforces working from home. This has seen criminals up their efforts to take advantage of the situation, but essentially many are still using the tactics of phishing attacks and trying to take advantage of ‘careless employees’.
While it is clear that the cost of a breach is only going to continue increasing and that the basic vulnerabilities that allow criminals in remain the same, companies now have access to a huge set of Data Security Solutions. Click To TweetYou are not on your own
Closing vulnerabilities may to some seem like a daunting task. For those companies with a small IT team it might even seem like an impossible task, but many are turning to managed services consultancies. This leaves the IT management, including cybersecurity in the hands of a 24/7 team that are able to ensure that patches are installed, vulnerabilities closed and if a cybercriminal gains access can rapidly respond to the situation, giving companies a real peace of mind.
There is more good news. Since 2015, the amount and sophistication of tools available to companies to counter cyberattacks has increased dramatically. Now, using the latest innovative technology, solutions are able amongst other things to intelligently identify potential phishing attacks, monitor entire supply chains for potential vulnerabilities in third parties as well as monitoring for unusual activity within systems.
While it is clear that the cost of a breach is only going to continue increasing and that the basic vulnerabilities that allow criminals in remain the same, companies now have access to a huge set of Data Security Solutions and partners to help them counter the threat.