Most people use the internet everyday and assume that it’s a “safe space.”

Many of us are overlooking very real and serious threats. Cyber attacks happen every day. They are more prevalent and costly than you may have previously understood them to be. At the end of the day, when we have to rely on “trust” between other humans when it comes to systems, things start to fall apart. We usually see this in the form of a data breach. These have proven to be a great roadblock for companies across industries.

For starters, on average, they cost companies millions.

1. They are Expensive

IBM Security and the Ponemon Institute released a joint study that assess the impact of data breaches. It shows that the global average cost to a company from a data breach is $3.86 million. But this represents an average across all levels of data breaches. If 1 to 50 million records are lost, we consider this a mega breach. The costs of a mega breach can range anywhere from $40 million to $350 million.

Consider for a moment how intense that is. If your business is located in the United States, things are even worse for you. The average cost of a data breach in the United States is $7.35 million, which is almost double the global average. That being said, even the country with the lowest average data breach cost in the entire world (Brazil) is well above $1million ($1.52 million).

You may be wondering if your company is at risk. The same report shares that the odds (globally) of an entity being victim to a cyber attack could be as high as 25% if they are utilizing the cloud. Furthermore, a report by Oracle and KPMG shares that 90% of firms say that at least half of their data is ‘sensitive information.’

Data breaches are no joke. These are huge obstacles for businesses that will, on average, cost millions of dollars. But where are these attacks coming from? Let’s look at the next overlooked fact. Your company is likely being too loose when dealing with 3rd party vendors.

2. Third-Party Vendors Are A Serious Vulnerability

Bomgar released an insightful report about the vulnerabilities and security risks presented by third-party vendors. Consider a third-party vendor any external entity or application that your company gives network access to.

So how prevalent is this situation? The report shared that, on average, a company has 89 vendors accessing their company network every week. We’ve already seen that 90% of firms consider at least half of their data to be sensitive, so just how stringent are companies when allowing third parties to access their networks?

92% of respondents to this report said they trust vendors “completely or most of the time.” This implicit trust easily explains how up to 63% of all reported data breaches came from third-party vendors. According to AT&T, organizations on average spent $10 million responding to third-party breaches over 12 months. That data was from 2016. What’s scary is that the Bomgar report also shares that about three quarters of their respondents are expecting their companies to become even more reliant on these third party vendors over the next two years. This does not bode well for the future cybersecurity in regards to third-party vendors.

So what do these breaches look like? Remember the recent Target breach? Bombar shares that the Target breach costed the company a whopping $252 million. So how did this happen? Target was relying on Fazio Mechanical Services (FSM) for contracting work when it comes to heating, ventilation, and air conditioning. FSM had access to some of Target’s networks. Someone at FSM had their credentials compromised, which allowed the attacker to gain access to Target’s networks, and the rest is history.

Having to “trust” third-party vendors is clearly a problem. Removing the need to trust them would be ideal. But if you did remove these outside vendors, would you still be safe? Unfortunately, we may not even be able to trust all of our own employees.

3. Internal Actors Are A Major Source of Data Breaches

In 2018, Verizon released their Data Breach Investigations Report. What they discovered is truly worrisome.

Over a quarter (28%) of all cyber attacks in 2018 involved insiders. This is a very serious problem. In fact, Verizon shared that 67% of responding security professionals are actively concerned with security threats that can come from internal actors.

When people have access to sensitive data, you can be sure that some will always favor malice over honesty. This is a larger problem in some industries than it is in others. For example, internal actors account for a larger share of data breaches in public and professional networks than they do in retail and educational networks. The largest area of internal breaches, however, is in the healthcare industry. 56% of healthcare data breaches came from the inside. Consider how unreliable humans can be. 13% of these internal healthcare data breaches were a result of ‘fun or curiosity’. An example of this is when a celebrity has recently been a patient and an employee wants to learn more.

But it’s not just malice or negligence. Humans are unreliable for the simple reason of not being perfect. Humans make mistakes. In fact, human error was a factor in about 17% of breaches. Verizon provides three examples of common costly human error: failing to shred important documents, sending an email to the wrong person, or misconfigured web servers. Have you ever forgotten to do something or ever messaged the wrong person? These errors are very reasonable but unfortunately can have dramatic consequences.

But there are proper protocols and rules for employees to follow, right? The previously mentioned Oracle and KPMG report shares that 82% of cyber security leaders are worried that employees are not following cloud security policies. When you can’t trust humans, but you also can’t remove the humans, you have to remove trust from the equation.

So we’ve noticed things getting worse, and there is clear data to support the threats of cyber attacks from both internal and external actors. Are we collectively getting better or worse at dealing with these threats?

4. We’re Getting Worse at Cybersecurity Every Year

Ask yourself the following question: over the next few years will the world be using more or less networks? Over the next few years will data be more or less valuable?

Not many would posit that we are moving away from a world of sensitive data networks. But let’s consider how big this problem is today. In a study by ESG and ISSA, 70% of responding cybersecurity professional said their organization had been impacted by the cyber security skills shortage. The threat of cyber attacks keeps growing, but what about our defense? Are companies gaining or decreasing their own cybersecurity skills?

The results from the ESG/ISSA study are shocking. Overtime, ESG data has showed that we are simply getting worse almost every year. Consider the following table:

Perhaps a good explanation for this is that there is now greater awareness of the issue. In fact, in 2017 69% of organizations planned to increase spending on cybersecurity. Currently it appears that, though many are now noticing the threats of cyber attacks, the cybersecurity skills just aren’t there.

We’re lowering our cybersecurity skills while the frequency of cyber attacks are on the rise. OTA’s Cyber Incident and Breach Trends Report shares that in 2017, ransomware cyber attacks nearly doubled. Also consider the following graph from Statista. It shows the nerve-wracking growth of data breaches in the United States from 2005 up till the first half of 2018.

Data breaches are happening at an unprecedented rate, yet companies still continue to report a higher shortage of cybersecurity skills almost every year. This is a recipe for disaster, and we can only hope that future cybersecurity plans will be able to hold up to the challenge.

Conclusion

Whether it’s from internal actors or third-party vendors, most of these attacks come from some poor management of permission access controls. Many of these attacks boil down to “who” can access “what” data. Anytime your network is forced to “trust” another person, you find yourself in a less-than-ideal situation. Fortunately, modern day cryptography allows us to create trustless systems.

If you think your business is at risk or in need of greater cybersecurity skills, feel free to contact us. At Mimir, we use the latest in cryptographic and distributed ledger technology to provide security solutions to businesses across industries. We offer a free consultation and exploratory call, and if you decide you want to use more secure systems, we’ll help you build them.

You can reach our team at contact@mimirblockchain.solutions or contact one of us personally:

John Licata, CMO: johnlicata@mimirblockchain.solutions

Mustafa Inamullah, Creative Director: mustafa@mimirblockchain.solutions

You can also review our consulting offerings and submit a contact form directly on our website at mimirblockchain.solutions.

Author: This piece was created in collaboration between John Licata and Mustafa Inamullah