Cybersecurity Threats by Industry Sector
Cybersecurity threats remain a significant concern for organizations in every sector. IBM’s 17th Cost of a Data Breach Report provided insights in to the nature of the threat environment in 2021. This report provides an assessment of risks and strategies for protecting data and responses to data breaches.
Among its findings the report found that the average cost of a data breach rose by nearly 10% in 2021. These costs were generally higher in organizations that did not have mature cyber security programs. The average cost of a breach was 4.24 million dollars. These costs were found to be higher in incidents where remote work was a cause of breach.
Healthcare remained the industry sector with the highest cost per breach for the eleventh straight year. The cost of cyber attacks rose significantly in the public sector, rising by 29.5% to an average cost of 9.23 million dollars per incident. The energy sector saw a sizable decrease in those same costs which is encouraging as this industry is a part of the critical infrastructure.
The length of time required to identify and contain data breaches averaged 287 days. It was noted that longer incident response times led to more expensive cyber incident costs. Contributing factors in the length of time for containment were the type of attack, types of Artificial Intelligence (AI) security measures, and cyber program maturity.
Organizations that utilized fully deployed security AI systems experienced an 80% reduction in breach costs as compared to organizations that failed to. This would justify the continued increase of implementation of AI security.
Hybrid Cloud Environments
Hybrid cloud systems incorporate public and private cloud services with on-premises infrastructure. As would be expected, organizations with larger cloud presence had higher costs associated with breaches. While hybrid cloud systems tend to be safer than strictly public cloud systems, marked differences in costs associated with the maturity of their system management was noted.
Types of Data Compromised
Customer Personally Identifiable Information (PII) and Intellectual Property were among the record types that had the greatest amount of compromise. Employee PII was high and comprised 26% of the total. When assessing the real costs of data loss it is difficult to surmise the loss of trust in an organization from customers, partners, and employees. These incidents result in damage to an organization’s reputation and can diminish important relationships.
Prominent Cybersecurity Threat Attack Vectors
Cyber criminal methods have remained consistent. Some of the familiar attack vectors were compromised credentials, phishing attacks, and attacks allowed through cloud misconfiguration. Malicious insiders, vulnerabilities in third party software, and social engineering attacks have also continued to be strong security risks. Business email attacks were smaller in number, comprising 4% of attacks, but accounted for the highest average total cost per incident at just over 5 million dollars.
Zero Trust Strategies
The zero trust framework assumes that an organization’s information security is always at risk from both external and internal threats. It thereby relies on continuous validation of data, users and resources by means of AI. These strategies are usually employed by organizations with more mature information security management systems. Indeed only 20% of organizations that were part of the study had fully deployed a zero trust system.
It was found however that the cost of data breach was significantly less, over 42% less, for those who had employed zero trust methodologies. This is encouraging because another 37% of organizations are planning for full or partial implementation of zero trust policies.
Cybersecurity Threats are Avoidable
Most cybersecurity incidents are preventable and can be mitigated through simple and common-sense approaches to improving security. A 2020 study from the Ponemon Institute found that 51% of organizations surveyed had experienced a significant business disruption in the last two years. This annual report, titled the Cyber Resilient Organization Report also found, that organizations that incorporated an enterprise wide Cybersecurity Incident Response Plan (CSIRP) had half the number of incidents.
Having a plan is important. For that plan to be effective it must be based on a reasonable assessment of an organization’s specific information security risks. Furthermore, that plan must undergo regular review to both the threat profile, and the policies, processes, and procedures to counter the changes in threat.
Continuing assessment is particularly important in the cybersecurity arena because new threats are constantly emerging. Additionally as new information technologies are introduced they create new vulnerabilities. Institutionalizing risk management allows an organization to develop and maintain cybersecurity programs that can evolve to meet the changing nature of cybersecurity threats.
An ISMS requires an information security incident management to anticipate and respond to information security breaches. It requires a regular and systematic internal audit to review that management. ISO 27001 also requires the implementation of training and awareness throughout the organization to create a code of practice.
An effective ISO 27001 Information Security Management Systems (ISMS) is an excellent solution that involves all segments of a business to ensure that processes are in place to protect sensitive information. The basis of ISO 27001 requires ongoing risk assessment and asset management.
CVG Strategy Information Security Management Consultants
CVG Strategy ISO 27001 consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Because our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) we can help you achieve ISO/IEC 27001 certification on time and on budget.
We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more. Contact us to learn more. We are also ready to help businesses involved in Controlled Unclassified Information (CUI) ready themselves for Department of Defense (DoD) CMMC requirements.