Establishing the First Steps of a
Cybersecurity Program
frequently confronted with a confusing
array of seemingly solid (and sometimes
contradictory) statistics. For example, the
Identity Theft Resource Center (ITRC) Data
Breach report states that there were 780
publicized data breaches in 2015. On the
other hand, the 2016 Verizon Data Breach
Investigations Report considers a worldwide
2015 data set of 100,000 data "incidents,"
of which 3,141 were "confirmed data
breaches" with the majority of the breaches
occurring in the U.S.
An IBM/Ponemon Institute report (based
on 383 companies in 12 countries) states
or stolen record was $158 and that data
breaches cost the most in the U.S. ($221).
Various reports and surveys also state
that 71 percent of respondents' networks
were breached in 2014; 52 percent of
respondents believed a "successful attack"
was likely in 2015; that 74 percent of
Chief Information Security Officers are
concerned about employees stealing
sensitive company information; and that
only 38 percent of global organizations
claim they are prepared to handle a
sophisticated cyberattack.
Which of these statistics are
trustworthy? Even more fundamentally,
are any statistics reliable in the rapidly
changing cybersecurity space? And, if no
statistics are absolutely reliable, does this
mean that businesses are justified in not
acting to prevent cybersecurity incidents
until there is more solid and consistent
evidence?
Despite the sometimes contradictory
nature of statistics, it would be a mistake
to ignore cybersecurity. There are, of
course, statistics to support that view as
well! A study conducted by ISACA a
leading security organization showed
that 82 percent of security professionals
stated that their boards of directors were
very concerned about cybersecurity. But
notwithstanding these concerns (which
are echoed in numerous surveys regarding
cybersecurity awareness), there is also said
to be a gap between general awareness
of the problem and implementation of
solutions, particularly on the part of small
frequently are concerned about the cost
of such implementation. Cisco reported in
2015 that a smaller percentage (29 percent)
of SMBs were using standard patching and
configuration tools for preventing security
breaches than had done so in the prior
year (39 percent) a troubling statistic
given the increase in cybersecurity attacks.
Moreover, the Cisco report also found that
SMBs often do not have an executive in
place that is responsible for security and
that "nearly one-quarter do not believe
their businesses are high-value targets for
online criminals."
Although SMBs may not see themselves
as targets, as Cisco states, they "may
not realize that their own vulnerability
translates to risks for larger enterprise
customers and their networks." Indeed,
SMBs may be the weakest link in
protecting proprietary information of their
clients, as exemplified by the fact that the
massive Target breach was supposedly
effected through an HVAC contractor.
A consistent message in the myriad
of surveys and reports cited above is that
cybersecurity threats continue to grow
not only in number but in extent. Any
business that has data of its own, stores or
processes the data of others, or provides
an access point to the data of a third
party, is a potential target for hacking and
potential extortion. The reasons for this are
clear. As the 2016 Verizon Data Breach
Investigations Report indicates, 89 percent
of phishing attacks are perpetrated by
organized crime syndicates (often located
abroad), who have the time, motivation
his clients' proprietary, personal, customer
and employee information, and other sensitive
data is fully protected and serves its intended
purposes. He is a United States and European
Union Certified Information Privacy Professional
and a Certified Information Privacy Manager.
1900 Avenue of the Stars, 21st Floor
Los Angeles, California 90067
310.553.0687 Fax
ttoohey@greenbergglusker.com