Who'd want to be a CISO?

Challenging job, but increasingly well paid

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

The Cost of a Data Breach

 


According to the IBM / Ponemon 2020 Cost of a Data Breach Report, data breaches cost businesses an average of $3.86 million per incident. The report is based on 524 companies that experienced data breaches globally. Unsurprisingly, the U.S. continues to have the highest average cost per breach ($8.64 million), while Brazil has the lowest one ($1.12 million).

The cost of a data breach includes losses such as lost business, legal fees, and compensation & restitution to affected customers. Its also includes rising cyber investigation expenses and fines for compliance failures. According to the report, there are 4 main areas in that lead to this growing cost. These include:
  • Detection, escalation, and investigation, incident handling, etc.
  • Lost business with customers and partners
  • Notification of affected parties, partners, and regulatory authorities
  • Cleanup and response including the remediation of vulnerabilities that should, in retrospect, have been fixed long before the breach

These sums do not include the cost of the loss of reputation, nor do they include business lost forever as a result of loss of confidence by partners and customers, some of whom may have been significantly damaged as a result of the cybersecurity incident, or the failure of the attacked company to deliver according to contractual agreements during the incident.

Nor do these figures include the expanded costs of investigation and clean up of a distributed 'remote' workforce as has become common under COVID restrictions in 2020. In such cases this average cost rises to over $4 million US dollars the report concludes.

According to the study, the average time to identify and contain a breach is 280 days, 207 days to identify the problem and 73 days to contain it. This indicates that most organizations do not have effective 24/7 security operations monitoring or incident response capabilities, and that many incidents often go unnoticed till a regulator intercedes, by investigating a discovered breach of non-public data.

While cyber-forensic investigation is not cheap by any means, the greatest costs to businesses of a breach is lost business, the reports claims, which represents about 40% of the total average cost of a data breach. In other words, out of the average $3.86 million that a breach costs, around $1.5 million is linked to loss of revenue and customers.

Most importantly however, the report points out that security breaches directly affect the company's reputation, damaging the brand and impacting acquisition and retention of business. While some consumers may be extremely fickle chasing the best deal regardless, others may be lost forever.

Healthcare

While all industries are affected by data breaches, the costs of a healthcare breach far exceeds all other verticals. It is perhaps the combination of a rich and diverse source of data - PHI, PII and IP, found in hospitals and clinics, and the regulatory protections enforced under law that make healthcare a particularly expensive breach proposition. The healthcare industry’s breach life-cycle is also longer, averaging about 329 days compared to the overall average of 280 days. That leads to higher costs. At the same time, healthcare spends less on cybersecurity than most other industry verticals, and so is an easy target for cyber criminals and pariah nation states given its relative lack of preparedness.

“Healthcare is a highly regulated industry and faces a lot of regulatory burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.” claimed Charles Debeck, senior threat analyst at IBM X-Force IRIS.

While rising CEO Fraud or Business Email Compromise (BEC) accounted for 5% of malicious breaches, the average cost of a ransomware breach was a staggering $4.44 million. Though the average cost of a breach is relatively unchanged from 2019, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.

"If you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus organizations that didn't." claimed Debeck.

“This divergence has been increasing year over year; the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren't engaging in these same practices are facing significantly higher costs” he added.

"Given the massive size of recent GDPR fines, OCR penalties, and state breach rules, most of which are not reported in time, it undoubtedly makes a lot more sense to invest in security up front, rather than to throw the dice and take a chance that it won't be you that gets hit with a cyber incident," claimed Richard Staynings, Chief Security Strategist with Cylera, a pioneer in the security of medical and HIoT devices. "The problem is, that in healthcare, most HIPAA Covered Entities have at best, only a partial appreciation of where their PHI data resides. Most don't consider the thousands of medical devices on their networks, or what data resides on each of those devices. Now that HIoT devices outnumber IT endpoints such as workstations, laptops and servers, healthcare IT and security teams are often looking in the wrong places for risks and vulnerabilities," he added.

Read the full Ponemon Report for details.

This article was first published at cylera.com

 

 

Tweens and Technology

  

 

Cybersecurity interns and entry level recruits aren't dropped off by the stork - they need to be nurtured!

I have written much about the need to better equip the children of today for the jobs of tomorrow, particularly when it comes to building a knowledgeable and capable cybersecurity workforce. The Cisco Annual Cybersecurity Reports and many other organizations with a vested interest in a ensuring a good pipeline of entry level recruits, have been highlighting the gap between available resources and cybersecurity job openings for many years now. Despite theirs, and many others, best efforts, the gap between demand for cybersecurity professionals and the available supply, appears to be getting larger each year. 

This is not that our cyber and technology-equipped school leavers aren't increasing numerically or in the depth of their skills, but that those numbers are not increasing fast enough to keep pace with demand. 

A lot of children are also being left behind, starting school with little to no exposure to math, sciences or technology. Many lack a computer at home or any form of access to the Internet till they get to school age, by which time they are well and truly left behind. Many children today learn the basics of computing and technology at 2 or 3, at or before Pre-School. They arrive in Kindergarten with the know-how to operate a computer, engage in educational games and other learning content and will be on their way to basic programing by second or third grade. Starting early appears to be critical to success in life, and with technology as perhaps the critical pillar for academic study, work, and success after school, who can blame parents for wanting their children to be provided every opportunity for development and future success. 

But many children are disadvantaged by poverty, unequal access to education and parent(s) working 3 jobs and therefore are not able to spend time with their off-spring at a critical stage of their development. This is where Tweens and Tech comes into play, providing educational technology-based summer camps and free computers to primary and middle school children in the Raleigh Durham area of North Carolina. But Tweens and Tech provides much more than that, so please read their words on their website rather than mine on this one - a great organization performing a worthy and noble cause, and one replicating quickly in other states across the country.

Today I was pleased to join a Fireside Chat with Dr. Anindya Kundu, a Senior Research Fellow at the City University of New York who has written extensively in early childhood development, Rob Martin from Cisco who helped start the Tweens and Tech organization with Derrick Thompson its founder, and two participants of the program - one a current student, the other a graduate of the program and now a teen volunteer.  
 
Watch the video recording of our discussions below: