Businesses Bolster Defenses as Data Breach Concerns Grow
More than three-quarters (77%) of IT decision makers are concerned about the likely risk of a data breach within the next three years, according to an Adastra report.
The survey of 882 IT professionals throughout the United States and Canada, conducted by Forum Research, revealed organizations continue to bolster their cybersecurity defenses to counter this risk.
Nearly seven in 10 (68%) having already created a cybersecurity department and another 18% are in the process of doing so. Just 6% said they have no cybersecurity department.
Mika Aalto, co-founder and CEO at Hoxhunt, said most security leaders today accept that data breaches are a question of when, not if, because most have responded to an incident within the past few years.
“The ‘It could never happen here’ mentality disappears when data breaches, usually from phishing attacks, are literally happening everywhere, in every industry, to companies of all sizes,” he added. “What’s important now is for executive leadership—CEOs and Boards—to have that same sense of urgency as infosec leaders.
Mitigating Human Risk
Aalto says CEOs need to collaborate more with CISOs and foster a security culture where human risk—which is by far the greatest source of risk—is actively measured, managed and mitigated.
Scott Scher, senior cyber intelligence analyst at Intel 471, said the fact that three-quarters of survey respondents are worried about a data breach showed that the rising awareness of data breach threats is having a significant impact on the minds of IT decision makers.
“This makes sense as organizations that suffer a data breach have legal obligations to report the incident to a number of regulatory and government bodies,” he notes. “They also typically have a duty to warn customers or individuals whose data may have been compromised. Both of which tend to be very high profile and can be extremely expensive.”
From Scher’s perspective, data security needs to become a forethought rather than an afterthought for organizations, similar to the concept of security-by-design on the software and hardware side of things.
“Organizations must begin implementing data security practices into their business plans, programs and policies at the design stage,” he says. “Organizations should be well aware of all the necessary tools and resources needed to properly prepare to defend themselves against data breaches.”
The question comes down to whether these have been implemented fully and properly.
Defending Against a Data Breach
“The best way for organizations to defend against data breaches is through basic cybersecurity hygiene and defense-in-depth practices,” Scher says. “Organizations that have implemented these practices likely will be highly prepared for preventing data breaches.”
Mike Parkin, senior technical engineer at Vulcan Cyber, points out preparedness “varies wildly” between organizations, sometimes without any correlation between size, budget and how long they’ve been in business.
“We’ve seen some major, mature, organizations suffer devastating consequences from a breach, while some small businesses and startups can shrug off a series of attacks with no ill affect,” he said.
He added that user training can be something of a challenge, since not everyone learns the same thing the same way.
“For some people, straight lecture and test is fine. For others, turning training into a game will have better results,” Parkin said. “Fortunately, there are many options available and organizations can use a mix of methods throughout the year.”
What they shouldn’t do, he advised, is rely on a yearly “train and test” scenario and assume people have absorbed the information and are acting on it.
“Security needs to be a mindset, not just a compliance checkbox,” he said.
Aalto explains the attack surface expands exponentially when individual employees and outsourced business functions are working out in the wild on multiple devices, any one of which can be transformed by a threat actor into a weak link into the system with one bad click.
“Security teams can mitigate that risk by adding capabilities such as endpoint detection and response, auto-updates and patching, MFA, and zero trust practices,” he said. “But ultimately it comes down to hardening the human layer, so people can catch sophisticated attacks that evade all the cybersecurity technology layers.”
Scher notes the shift to work from home (WFH) and distributed workforces have complicated data security efforts because it has expanded an organization’s attack surface to beyond its typical controlled environment.
“Ensuring proper data security is increasingly difficult when an organization does not have complete visibility into things like home internet networks and personal devices,” he said.
Parkin points out people have been working from home for years and were talking about there really being no perimeter long before COVID-19 led the massive shift to remote work.
He added that the pandemic changed organizations’ mindset from “some small proportion of our people work from home” to “no one’s in the office unless they absolutely have to be,” and while it’s shifting back, remote work is a reality now.
“It has presented a lot of challenges for security operations,” he said. “There is a lack of visibility into and control over what equipment users have and where they are using it. That’s led a lot of headaches for the operations team.”
