Establishing the First Steps of a Cybersecurity Program frequently confronted with a confusing array of seemingly solid (and sometimes contradictory) statistics. For example, the Identity Theft Resource Center (ITRC) Data Breach report states that there were 780 publicized data breaches in 2015. On the other hand, the 2016 Verizon Data Breach Investigations Report considers a worldwide 2015 data set of 100,000 data "incidents," of which 3,141 were "confirmed data breaches" with the majority of the breaches occurring in the U.S. An IBM/Ponemon Institute report (based on 383 companies in 12 countries) states or stolen record was $158 and that data breaches cost the most in the U.S. ($221). Various reports and surveys also state that 71 percent of respondents' networks were breached in 2014; 52 percent of respondents believed a "successful attack" was likely in 2015; that 74 percent of Chief Information Security Officers are concerned about employees stealing sensitive company information; and that only 38 percent of global organizations claim they are prepared to handle a sophisticated cyberattack. Which of these statistics are trustworthy? Even more fundamentally, are any statistics reliable in the rapidly changing cybersecurity space? And, if no statistics are absolutely reliable, does this mean that businesses are justified in not acting to prevent cybersecurity incidents until there is more solid and consistent evidence? Despite the sometimes contradictory nature of statistics, it would be a mistake to ignore cybersecurity. There are, of course, statistics to support that view as well! A study conducted by ISACA a leading security organization showed that 82 percent of security professionals stated that their boards of directors were very concerned about cybersecurity. But notwithstanding these concerns (which are echoed in numerous surveys regarding cybersecurity awareness), there is also said to be a gap between general awareness of the problem and implementation of solutions, particularly on the part of small frequently are concerned about the cost of such implementation. Cisco reported in 2015 that a smaller percentage (29 percent) of SMBs were using standard patching and configuration tools for preventing security breaches than had done so in the prior year (39 percent) a troubling statistic given the increase in cybersecurity attacks. Moreover, the Cisco report also found that SMBs often do not have an executive in place that is responsible for security and that "nearly one-quarter do not believe their businesses are high-value targets for online criminals." Although SMBs may not see themselves as targets, as Cisco states, they "may not realize that their own vulnerability translates to risks for larger enterprise customers and their networks." Indeed, SMBs may be the weakest link in protecting proprietary information of their clients, as exemplified by the fact that the massive Target breach was supposedly effected through an HVAC contractor. A consistent message in the myriad of surveys and reports cited above is that cybersecurity threats continue to grow not only in number but in extent. Any business that has data of its own, stores or processes the data of others, or provides an access point to the data of a third party, is a potential target for hacking and potential extortion. The reasons for this are clear. As the 2016 Verizon Data Breach Investigations Report indicates, 89 percent of phishing attacks are perpetrated by organized crime syndicates (often located abroad), who have the time, motivation his clients' proprietary, personal, customer and employee information, and other sensitive data is fully protected and serves its intended purposes. He is a United States and European Union Certified Information Privacy Professional and a Certified Information Privacy Manager. 1900 Avenue of the Stars, 21st Floor Los Angeles, California 90067 310.553.0687 Fax ttoohey@greenbergglusker.com |