The results of a survey of 200 CEO’s conducted by RedSeal published in December 2016 make it clear that more than 80 percent of CEO’s surveyed display “cyber naiveté,” allowing their global organizations to be exposed to massive cyber attacks. In spite of increasing spending on cybersecurity infrastructure, losses from cyber crime have been growing at a rate twice that of current spending to prevent it. Obviously, while a lot of spending is taking place, it is not producing the desired effect. Simply put, whatever is being done by companies to shore up their defenses, it is not enough.
So here are some interesting data points.
- In AT&T’s annual cybersecurity threat report, they find that over 90 percent of cyber crime is preventable.
- Estimates by IDC indicate that investments in cybersecurity infrastructure are expected to grow to over $101 billion by 2020.
- Yet PricewaterhouseCooper in their 2015 Global State of Information Security Survey projected that losses from cyber attacks will jump from $500 billion in 2014 to more than $2 trillion in 2018.
If most attacks are preventable, and investment to prevent them are increasing, and yet the losses are continuing to mount, something is clearly amiss. A significant part of the answer also comes from the PwC report where they indicate that employees are the most-cited culprits of incidents. These incidents may be the result of a couple of characterizations;
Carelessness: This might be losing a laptop, memory stick or smartphone, or plugging in a memory stick found in a public place hoping to identify the owner
Malfeasance: An employee stealing data for sale, or someone with a personal or philosophical grudge against the company planting malware or a virus
Duped: While somewhat related to carelessness, this category deals more with people falling prey to spear phishing or whaling schemes, or other socially engineered attacks such as phone scams
So while much effort and money is necessarily being spent on the perimeter defenses, more also needs to be done on the internal defenses. In cases of employees being careless or duped, cybersecurity training and awareness programs need to be implemented to keep pace with the threat landscape. For years, many companies have relied on a traditional annual review of “safe computing standards” for their employees, but this is no longer sufficient. This type of training program will increase awareness for a short period of time, but then gradually lose it’s effect. And it is subject to a lag of up to a year to bring new or updated threat vectors into focus. With a lack of any quantitative means to measure the effectiveness, this approach is very limited and not highly effective.
Companies today need to research cybersecurity training programs that are continuous and incorporate qualitative measurements to demonstrate effectiveness. The goal is no longer just an increased awareness about what attackers were doing last year, but effecting long-term behavior changes based on what attackers are doing today! Keeping employees attentive to the threats, and providing them the skill and tools to deal with those threats, will help prevent cyber attacks on your company. Your people can be the best first-line of defense, or they can be the weak link in your chain. The choice is yours, but the good choice will not just happen – you need to make it happen!