Research conducted by the Irish Computer Society has revealed that Irish firms are increasingly becoming the victims of external hacking incidents: more than half of the 200 companies surveyed admitted to having had a data breach in the prior 12 months, and 1 in 5 had been the target of malicious external attacks.
Only 1 in 5 had no incidents to report.
Risk factors exposed
Possible clues as to the reasons behind the high incidence of data breaches are revealed within the very same survey: 1 in 3 companies had no corporate data breach policy; half of the firms’ staff are poorly trained for data breaches; only 2 in 5 have internal sanctions for non-compliance with data protection rules; and most (!) had no guidelines on securely transferring data outside the country, even though most of them undertook it
When asked about the primary threat they faced in keeping sensitive information secure, 20% of companies cited ‘negligent employees’. Pretty damning compared to the expected greatest threat – hackers – which came in at 14%, followed by loss of unsecured devices (12%), and unsecure third parties (10%).
Worldwide trends
The notion that businesses are being hit harder and more frequently than in previous years is confirmed by the US-based Ponemon Institute’s latest global benchmark survey: in 2014 there were 1.7 cyberattacks per company per week (that’s 1 every 4 days); in 2013 there were 1.4 attacks per week; and 1.3 per week in 2012.
One point of difference with the Irish survey is noteworthy, however: only 2% of Irish firms consider malicious insiders as their greatest threat, and yet in the Ponemon survey, 35% of attacks originated from this category. Irish bosses, take note.
Ponemon also noted the costly repercussions of a breach: in the US, the average cost of a data hack is a staggering $12.7 million (£8.2 million); in the UK it’s $5.6 million (£3.6 million). Business disruption (including fines, legal action, and value of stolen intellectual property) was cited as the single most costly external element; information loss was 35%, and revenue loss 22%.
Learning from others’ mistakes
There’s a common pattern to the measures undertaken by companies who have suffered major breaches, and which can serve as a useful template for preventing them: revisions in endpoint security, greater use of encryption, engagement of expert security staff, and improvements in data governance.
The latter includes the training of employees and increasing their awareness of how their everyday actions can compromise not only the company’s systems but its very future. Indeed, the simple act of failing to promote secure password behaviours amongst employees may be a company’s most costly mistake: the not-for-profit Online Trust Alliance (OTA) placed the enforcement of an effective password management policy at the top of a list of 12 critical practices.
In its most pared down form, an effective password management policy should state that employees must use strong, unique passwords i.e. a minimum 15 characters with added complexity in the form of numbers, special characters, symbols, and mixed cases, and which are unique to each and every online account.
Building strong passwords can actually be fun (try any strength meter), but remembering them isn’t; this is why employees end up storing them insecurely. Signing up for a password management service is the safest option for storing them as it means employees need remember only a single phrase to access them.
Problem 0-1 Opportunity
Chilling statistics from institutions like the Irish Computer Society and Ponemon Institute should be welcomed with open arms, not quickly passed over with eyes averted, breath held and fingers crossed...
Behind every problem is an opportunity to re-assess, make change, and ultimately strengthen, because preventing a data breach has got to be a better outcome than dealing with the aftermath.
If you are worried about your company being hacked you can download your free guide here