The digital world we have created for ourselves is inherently risky. Every time you open your web browser or click on an email attachment, you take on risk. The more we rely on digitally connected networks, the more likely it is we will experience a cyberattack. Every network connection you create within your IT estate is a potential attack avenue.
The Accentuated Risk Environment of 2020
Cybersecurity was certainly a challenge in 2019, but the events beginning in early 2020 accentuated the risk environments that IT teams are charged to protect. Businesses are striving to virtualize everything they can to reach customers that are now demanding digital experiences. While internal IT continues to innovate the enterprise to accommodate this new era, these innovations often outpace the cybersecurity efforts that must advance alongside them. Remote work strategies have migrated workloads to be initiated from consumer-based network environments that lack the proper security controls. There are numerous ramifications of working from home. According to a study released in July of 2020:
- 33 percent of employees never think about cybersecurity while working.
- Nearly 45 percent cited distractions as the primary reason for falling for a phishing scam.
- 57 percent admit they are more distracted when working from home.
Cybersecurity teams have been scrambling to enact security strategies for collaborative architectures that they never imagined coming of age at the pace they were implemented.
The Era of Ransomware
The increasing levels or risk are easily visible today. Let’s just look at the statistics involving the “R” word, otherwise known as ransomware.
- Between 2019 and 2020, ransomware attacks in the U.S. rose by 158 percent. This eclipsed the rampant rate of 62 percent worldwide.
- In 2020, the amount paid by victims of these attacks increased by more than 300 percent compared to the previous year.
- As reported by the FBI’s 2020 Internet Crime Report, some 2,500 ransomware complaints were filed in 2020, up 20 percent from 2019.
- The same FBI report showed that the collective total of ransomware costs amounted to over $29 million, up more than 200 percent over the year prior.
- According to the Harvard Review, the ransom amount paid by victims increased more than 300 percent in 2020.
Good News and Bad News Concerning Breaches
While there was some good news concerning the number of data breaches in 2020, which decreased by 48 percent, the total number of records that were compromised exceeded 37 billion, an increase of 141 percent and by far the highest number ever recorded. Five breaches alone each exposed more than one billion records. And ransomware rears its ugly head again as the source of attack for 676 breaches.
The Obligation of Compliance
In addition to the constant threats of cyberattacks, companies must worry about their legal obligations to individuals, state attorneys general, and other regulatory bodies in the event of a cybersecurity incident. There is a growing list of industry and regulatory compliance requirements that organizations are responsible for including HIPAA, PCI DSS, CCPA, GDPR, etc. However, the hard truth is that one can be in perfect compliance with every industry standard or governmental regulation and still have a breach or cybersecurity incident of some type.
Here is one example. 94 percent of malware is delivered by email. IT departments know this very well, which is why they spend thousands of dollars every year on modernized email security systems to protect against phishing and other email-based threats. Yet despite these best efforts, approximately 1 in 3,000 emails that contain some type of malware payload gets through. If hackers send enough emails, they are likely to eventually break through those protections – usually through user error (clicking on a bad link, for example).
The Shortage of Cybersecurity Workers
We’ve heard a lot about supply chain shortages lately. Well add one more critical shortage to the list. While cybersecurity teams are stretched to capacity more than ever, there is a serious dearth of cybersecurity talent out there to fill the roles that continue to go vacant. Since 2013, the world has been on an eight-year trajectory of some 3.5 million vacancies in the cybersecurity field by 2021. This isn’t due to a lack of trying to find talent. According to MIT, fewer than 1 in 4 cybersecurity applicants are even qualified. According to a recent study, 58 percent of security practitioners believe that the problem of not having an expert cybersecurity staff will worsen in the coming year.
Cybersecurity Teams Suffer from Burnout
So, in this era in which IT and cybersecurity teams must contend with increased risks and pressures from all sides, how are they surviving in this age of risk? The answer is not well. A ZDNet article in January 2021 said it best, “Cybersecurity teams are struggling with burnout, but the attacks keep coming.” The culmination of increasing workloads and position vacancies is taking its toll. In an unrelated study 38 percent of security practitioners said that the current conditions have led to burnout, a 12 percent increase since 2020. Furthermore, 59 percent don’t believe that their organizations are doing enough to alleviate these stress points.
In addition to the mammoth responsibility of securing their enterprises, Chief Information Security Officers (CISOs) are responsible for budgeting, employee retention and the entire IT environment as well as exploring alternative delivery platforms. If all this weren’t enough, companies are putting even more responsibilities on the plates of CISOs. According to Gartner, 30 percent of a CISO’s effectiveness will be measured on the ability to create value for their businesses by 2023. Other research suggests that on average, a CISO lasts only two to four years on the job before moving onto another position. The primary driver of this CISO churn is burnout. A survey showed that 88 percent of CISOs report being moderately or tremendously stressed while 48 percent said that their role has negatively affected their mental health.
Your Obligation is Reasonable Security
Amongst all these disturbing trends and statistics, is a morsel of truth. A company is only required to meet its duty of care by implementing what is considered to “reasonable security”. You don’t have to commit to unlimited budgets to combat every threat. You don’t have to win every skirmish to save the world. You do, however, have to make a recognized reasonable effort to secure your organization against risk. So just what is “reasonable security” defined as?
According to the Sedona Conference, a nonpartisan, nonprofit research and educational institute dedicated to the advanced study of privacy and data security law:
“Reasonable security” means that safeguards must not pose a higher risk to the organization than the lack of safeguardsposes to others.
There is a great language gulf between the world of IT professionals and legal practitioners. To help bridge this gap, the Sedona Conference created a “test” per se. The test is designed to determine whether an organization properly measured its associated risks and in turn, applied the appropriate safeguards. The implementation of these safeguards is then compared to the burden that would be applied to the organization itself as a result. An organization would be deemed negligent if its net burden is less than the net impact to the involved victims of a cybersecurity incident vs having implemented improved safeguards against known threats.
States Attempt to Define Reasonable Security
Many states are now following in the footsteps of California’s Consumer Privacy Act (CCPA) and passing their own compliance regulations to protect the personal data of their state constituents. For instance, the state of Colorado now requires reasonable security efforts according to its newly passed data security laws. Entities are required to implement and maintain reasonable security procedures and practices to protect PII (Personal Identifiable Information), considering the nature and size of your business and the type of PII they collect. However, the Act also states that an entity which maintains procedures for the protection of PII pursuant to the laws, rules, regulations, guidance, or guidelines established by its own state or federal regulator, will be in compliance with Colorado’s law governing the protection of PII.
Virginia recently passed its own Consumer Data Protection Act as well. It too deals with one’s obligation to enact reasonable security. Specifically, it states that organizations must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue.
Leverage a Duty of Care Risk Approach
In the event of a legal suit involving a data breach or other type of cybersecurity incident, it will be up to a judge to determine your “duty of care.” It is “due care” that determines the extent of an organization’s liability for the incurred damages to the involved parties. To help in this endeavor, the Duty of Care Risk Analysis Standard (DoCRA) was created. It compiles a set of principles and practices for analyzing risks that addresses the interests of all parties potentially affected by those risks. Here are some of the primary focal points to remember should you find yourself in litigation.
- The legal concept of “duty of care” and “due care” require that organizations demonstrate they used controls to ensure that risk was reasonable to the organization and appropriate to other interested parties at the time of the breach.
- Using this methodology for security strategies balances security, compliance, and corporate responsibility by helping determine the appropriate amount of security for an organization’s specific work environment by considering all interested parties.
- In the end, it comes down to a determination of what the proper balance was between safeguards and risk of harm.
How to Start
The first step is to determine what your company’s risks are through a risk assessment. This involves the following activities:
- Take an inventory of company assets.
- Outline how they should be managed.
- Identify key risk identifiers (KRI) and other predictors of negative events that can adversely impact the organization.
- Assess the impact of known vulnerabilities and potential threats to the organization, its objectives, and to interested third parties.
- Determine the likelihood that such impacts will be realized.
- Calculate risk severity and prioritize a course of action in which the identified risks are addressed and remediated.
- Compile the findings and recommendations into a format that an executive board can easily consume and understand to approve projects that address the risks at hand.
A risk management program should continually monitor the changing landscape of your environment to ensure that new risks are identified and addressed in a reasonable manner. The best approach is to partner with a firm that specializes in security risk management. HALOCK has been helping clients manage their associated risks and security safeguards for over 25 years. And while we cannot guarantee that you will never experience a cyber incident, we can ensure that you practice your duty of care.