New Report: Businesses Suffer Serious, Measurable Damage From Data Breaches

Cisco recently published its tenth annual data breach report, and some of the findings should be cause for concern by people who own, run, or work for businesses.

The firm’s 2017 edition of its annual cybersecurity report entitled “Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking,” provides insights based on threat intelligence gathered by Cisco’s security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.

Cisco noted that according to its research, in 2016:

Old-fashioned adware  software that downloads advertising without user permission – continues to prove successful, infecting 75 percent of organizations polled. (…as is adware.)

Just 56 percent of security alerts are investigated and less than half of legitimate alerts are actually remediated. Defenders, while confident in their tools, are undermined by complexity and manpower challenges; criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion. (Information overload is causing a “Boy who cried worlf” situation in some envrionments, and too many real alerts are overwhelming others.)

Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns. (Inadequately vetted applications can create risks.)

On the positive side, 90% of organizations that experienced a breach in 2016 are improving threat defense technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent). (Thankfully, firms are investing in improving the situation.)

Discussing the report, John N. Stewart, Senior Vice President and Chief Security and Trust Officer, at Cisco noted that “In 2017, cyber is business, and business is cyber -that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cybersecurity Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture.”

Here are comments from several other industry insiders on the report.

David Vergara, Head of Global Product Marketing, VASCO Data Security:

“This report makes three things abundantly clear. The first is that cybercriminal’s weapon of choice is not always the sophisticated attack; generally, they prefer the path of least resistance, so security laggards beware. Second is the hard cost of a breach, through lost customers, revenue and business, is rising dramatically. This cost should drive more pointed security resource discussions and prop up related business cases. Third is that the last thing CSO’s need is another point solution to complement the busy array of existing security platforms. Step one is to assess the weakest channels. If mobile represents the greatest risk, leverage a solution that compliments your existing platform to ensure trust on the device and mobile applications.”

Brad Bussie, Director of Product Management, STEALTHbits Technologies:

“When assessing risk, one of the first things you do is identify the value of the asset you are trying to protect or mitigate. If it costs more to protect or mitigate the risk to the asset then the asset itself is worth, you don’t do it. Statistics from this study, and others, show an alarming trend that asset risk is no longer being calculated correctly. Losing customers, revenue, and opportunities can be mapped directly back to breached systems. It would be interesting to see how much it would have cost to protect the systems in question, or to change to process that was exploited and compare it to what was lost because of the breach “

    Don Duncan, Security Engineer, NuData Security:

“CISCO’s findings that 22% of breached organizations lost customers and a significant number of these companies lost 20% of their entire customer base is a sobering data point for any organization when considering whether to disclose a breach publically. Regulations may be coming that will force disclosures. Until that happens, with so much at risk it’s no wonder that breach numbers are vastly underestimated. The other important point to note with this finding is what we’ve all known for a while now -breaches are impactful to customers and influence their loyalty. It’s not news that lost customers, revenue, business, and opportunities are part of the fallout from severe breaches, and this study can help many companies grasp the magnitude of what is at stake. What is new is how the attack vectors are changing; becoming more organized and nimble.

Brian Laing, VP of Business Development and Products, Lastline:

“The Cisco data breach report highlights the continually evolving techniques used by criminals to exfiltrate sensitive corporate data, and the resulting impact on business performance. Enterprises must continually expand and enhance their security capabilities to keep up with new techniques, schemes, and technology continually introduced by organized crime.”