Released last week, Gemalto’s Breach Level Index found that over 4.5 billion data records were breached in the first half of this year - up 1,751% from the same time last year. That translates to 291 data records being breached per second in the first half of 2018.
No matter which way you look at it, that’s a big and disturbing number. Around the same period, in May 2018, the global population was estimated at around 7.6 billion people. Accounting for the fact that some segments of society are under-represented online, like young children, and some of the less developed nations, it’s safe to conclude that there was a good chance that any one of us could have been the victim of one of these breaches.
I find this report incredibly disturbing. As leaders, the organisations we lead are heavily reliant on new technologies, cloud-services, e-commerce, and a mobile, interconnected workforce. In that environment, we are entrusted with sensitive data that affects our customers, employees and shareholders.
Governments and regulators are endeavouring to heighten our preparedness against data breaches, with the introduction of initiatives like the GDPR in the EU in May, the Notifiable Data Breach scheme in Australia in February, and similar initiatives around the world. Yet businesses and their data are continuing to fall prey to sophisticated cybercrime networks.
It is too soon to say if these initiatives will have an impact. As the leader of a cybersecurity firm, I applaud governments, regulators and industry for all efforts to alert businesses to the risks that they are facing, and to protect the customers of those organisations by threatening sizeable penalties should they fail to abide. The GDPR penalties for a breach are 20 million Euros or 4% of global annual turnover, whichever is greater. That’s a big stick to wield, and there is no doubt that businesses all around the world have taken notice and implemented more stringent measures around data protection and security. That is a huge step forward.
On July 31, the Office of the Australian Information Commissioner (OAIC) released the first full quarter results under the notifiable data breaches (NDB) scheme. The report revealed 242 notifications for the quarter, after only 63 were reported in the initial six weeks of the scheme’s operation. 59 percent of the notifiable breaches reported resulted from “malicious or criminal attacks.” Of the 97 cyber-related incidents reported, 29% were linked to the compromise of credentials through phishing, 14% were brute-force attacks, and 34% were by unknown methods.
That the health sector was the most targeted should come as no surprise, as cybercriminals target the highly confidential information that those organisations protect. We have seen high profile examples in Australia with the leak of data from the Australian Red Cross in 2016 affecting the 550,000 donors. The health sector is particularly vulnerable. While not specifically targeted, the NHS was one of the most reported victims of the global WannaCry attack. The Department of Health has revealed that the attack caused the cancellation of 19,000 appointments and cost the National Health Service almost £100 million.
Earlier this year, the World Economic Forum Global Risks Report 2018 found that leaders rated ‘cyberattacks’ and ‘data fraud or theft’ as the 3rd and 4th most likely risks to their businesses, and ‘cyberattacks’ were also in the top 10 risks in terms of impact. So, it’s encouraging that leaders are alert to the threats posed by cybercrime, and that we are collectively galvanizing as a global business community.
Nevertheless, businesses continue to fall prey. In particular, 4 data breaches were rated ‘catastrophic’ by the Gemalto Index this year: Facebook, Aadhaar, Exactis, and Under Armour.
It’s not a new phenomenon. In 2013 and 2014, Yahoo! was the victim of attacks which it controversially announced in 2017 had affected over 3 billion user accounts. More recently we have seen massive breaches affecting tech giants like eBay, Uber, Facebook and Equifax. Aside from possible penalties under GDPR, their reputations have been damaged and their revenues have suffered. In some instances, executives have even been called in front of senate inquiries and faced legal repercussions.
In this climate, recognising that some of the largest and most sophisticated tech firms have fallen victim to cybercriminals, is a big concern for all of us. A 2018 report by EY found that 86% of organisations do not believe their cybersecurity fully meets their needs.
A long-term commitment is needed
Sophisticated attacks require a sophisticated defence strategy. Gemalto’s Index found that while some breaches this year resulted from accidental loss, the majority, 56%, were resultant from attacks by malicious outsiders or cybercriminals. This is consistent with the 59% of incidents reported to the OAIC as “malicious or criminal attacks,”
Let us not be complacent or discouraged. In the past I have encountered leaders who were dismissive of cybersecurity. They would often tell me that it was an IT problem for their tech leaders to solve, or some were of the opinion that they had contracted consultants so that they could focus on their core business.
Thankfully these views are changing, and leaders now accept that protecting the reputation and data of their firms, is a whole of business challenge. What greater evidence of this, than the examples above. When it comes to cybersecurity and data protection, too much is never enough.
A recent EY article pointed out that “Cybercriminals know how to find and exploit every opportunity.” Elaborating that “Today’s cybercriminals use advanced techniques, to mimic executives and fool employees into sending emails or making money transfers. Businesses need sophisticated defences, now that their adversaries have become this clever.”
This is the crux of the problem for executives and business owners trying to handle security: cybercrime is rapidly morphing and becoming more complex. Each attack is different from the next. In one instance that was intercepted by my team at MailGuard, the scammers used over 160 variations of an email to deliver their payload and to stay ahead of antivirus software updates.
At a recent conference in the US, a Microsoft Enterprise Security team stated that the average CIO or CISO oversees 48-60 services to protect their organisation, and some that I have spoken to feel that even this number is low.
Experts agree that a multi-layered approach is needed to stay ahead of the crooks who are constantly trying to beat your defences. What we now understand, is that cybercrime is a long-term challenge that requires a coordinated approach.
Strong leadership, robust systems and tools, the education of teams, engagement with trusted partners, and collaboration with government, industry and peers, are just some of the factors that need to be considered to defend your company, your people and your data.
If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.
You can download my e-book for free, here.
I have repeatedly advocated the adoption of a multi-layered security approach to handling cybercrime today.
I founded MailGuard in 2001 – a cloud email security company that stops advanced email threats 2-48hrs ahead of the market. Despite the enormous scale of a some of the attacks mentioned earlier, 9 out of ten begin with a simple email, targeting vulnerable employees.
MailGuard detects and prevents large numbers of cyberattacks every day. If you would like to discuss the preparedness of your organisation, my team are here to help.
... ... ...
Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.
I’d really value your input and comments so please join the conversation.