Study Shows Half of Businesses Fail to Change Cybersecurity Strategy Even after a Cyberattack
Cybersecurity inertia – the failure to learn from past cyberattack – puts not just critical data at risk, it also endangers your organization’s whole IT infrastructure and assets.
According to the CyberArk Global Advanced Threat Landscape Report 2018, almost half or 46% of businesses fail to substantially change their cybersecurity strategy even after experiencing a cyberattack.
“Attackers continue to evolve their tactics, but organizations are faced with cyber security inertia that is tipping the scales in favor of the attacker,” said Adam Bosnian, executive vice president, global business development, CyberArk.
The CyberArk survey, which was conducted in fall 2017 amongst 1,300 IT professionals, cybersecurity decision-makers and business owners across 7 countries worldwide, found that cybersecurity inertia has overwhelmed many organizations, making them incapable of repelling or containing cyberthreats. The CyberArk survey found the following disturbing findings:
1. Series of Cyberattacks
Forty-six percent of the respondents of the CyberArk survey said their organization can’t block cyberattackers from breaking into internal networks each time it’s attempted.
Paying the ransom to ransomware attackers – sans overhauling your organization’s cybersecurity measures – doesn’t guarantee that your organization won’t be attacked again as ransomware is often used to plant other malicious software (malware) in your organization’s computer networks. Ransomware is a type of malware that blocks access to a computer until a ransom is paid.
2. Weak Cybersecurity Measures
Forty-two percent of business leader respondents said they store passwords in a document on a company PC or laptop, and 21% keep credentials in a notebook or filing cabinet.
3. Lack of Transparency
Fifty percent of the respondents said their organizations didn’t fully inform customers when their personal data was compromised in a cyberattack.
This finding shows that similar actions by companies such as Yahoo and Uber are just tip of the iceberg. In the case of Uber, the company tried to hide a data breach involving 57 million passengers and drivers in October 2016.
Overcoming Cybersecurity Inertia
Cybersecurity inertia, the failure to substantially change cybersecurity strategy after a cyberattack, needs to be overcome due to the following reasons:
1. Canada’s Digital Privacy Act
Businesses based in Canada soon won’t be able to sweep under the rug data breaches with the upcoming implementation of the Digital Privacy Act. This law, passed in June 2015, amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). This new law requires businesses to report data breaches. An organization may be liable for a fine of up to $100,000 for failure to report data breach.
The enforcement date for the Digital Privacy Act is still undetermined pending the release of the law’s regulations. On September 2, 2017, the Government of Canada published in the Canada Gazette the proposed “Breach of Security Safeguards Regulations”. This signals the imminent implementation of the mandatory data breach reporting under Canada’s Digital Privacy Act.
2. EU’s General Data Protection Regulation (GDPR)
The implementation of the GDPR data privacy law this coming May 25th is another reason for businesses to overcome cybersecurity inertia.
GDPR impacts not just businesses based in the EU, but also those businesses based outside the EU that are processing personal data of EU residents. Under GDPR, businesses can’t anymore hide data breaches. This law mandates that data breach notification must be done 72 hours after discovery. Failure to do so may result in a fine worth €20M or 4% of annual global revenue, whichever is higher.
Article 25 of GDPR, states:
“The controller [organizations processing personal data of EU residents] shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
According to Imperva Incapsula, the following organizational strategies are required to be complaint of Article 25 of GDPR:
- Personal data should be anonymized or pseudonymized
- Personal data shouldn’t be stored in spreadsheets and other data sources in a local folder or to a cloud application such Dropbox, Google Drive or Microsoft’s OneDrive
- Limit email archive access to a limited number of privileged users and monitor their activity
- Encrypt emails containing identifiable personal data
- Protect personal data at-rest, in-motion and in-use
- Formulate and enforce policies about using bring-your-own-devices to access secured data
- Implement policy reviews, staff training, internal audits of processing activities and documentation of compliance
Overcoming cybersecurity inertia requires top-down leadership. Cybersecurity is often seen as the task of the IT department. Executives, however, play a key role in warding off cyberattackers. For instance, many of phishing attempts target company executives.
In phishing, a cyberattacker attempts to gather personal and financial information by sending an email that appears to be from a trusted source. A phishing email directs the receiver to visit a website where the receiver is asked to update personal information, for instance, to change a password. The website is, however, a bogus one and was only set up to steal critical information.
Top-down leadership is a must to solve the cybersecurity inertia issue. According to the CyberArk report, senior figures “must take responsibility and be accountable for cyber security within organizations of all kinds if the awareness gap we face is to be effectively addressed with more robust and widely understood security policies.”
In May 2014, Target CEO Gregg Steinhafel stepped down after a massive cyberattack on the company. In September 2017, Equifax CEO Richard Smith similarly resigned after a massive hack.
As organizations are becoming increasingly digital, the cyberattack surface has also expanded. Cybersecurity is no longer the sole responsibility of the IT department, it has become a shared responsibility.
At GenX Solutions, we take your information security very seriously and have the expertise necessary to secure your assets today. Call us at (416) 920-3000 to learn more and book your free assessment.