Security By Design

Cybersecurity today is one of the most reported and commented upon topics in business, in management consultant circles and in investment circles today.  Yes, I agree that Artificial Intelligence is a noisy topic recently.  However, AI, even though I have been listening to the promise and perils of AI since the early research days, is still in its infancy.  Cyber-Insecurity and Cybercrime are harming your business today!

Do you know if your organization is Cyber Secure or Cyber Insecure?

My focus in this blog series will be about Cybersecurity and your organization.

Cyber-Insecurity and Cyber Crime have been hurting your business yesterday, and today and will continue to do so tomorrow if you do not:

1. have a robust business understanding of the risks of not securing adequately your digital business infrastructures, systems, and product lines.
2. have a comprehensive set of business-focused strategies and plans to secure and provide cyber resilience in your digital business world.
3. have in place the enterprise and business unit governance policies, processes, procedures, and training which creates a foundation for a company culture of ownership and accountability for cybersecurity at all levels of your company, … Board of Directors, Executive Leadership, management, and employees.
4. have in place the operational practices, which include the use of your processes, procedures, supporting tools (manual or automated) and reporting to know whether your Cybersecurity capabilities are protecting your enterprise or not.
5. have the practice and acquired learning and knowledge about what to do and not do when your organization has been cyber-compromised.

Cyber compromise takes many forms and attacks us from many directions.  National States, terrorists, criminals, hacktivists, business competitors and business insiders all take advantage of Cyber Insecurity for illegal political, economic, financial, ideological, societal, business competitive and/or personal gain.  The reason behind a cyber-attack is interesting but matters little compared to the impact on your business.

One of the industry reports I pay attention to year after year is the IBM Cost of a Data Breach Report. The latest IBM Cost of a Data Breach (2022) Report tells us that:

• 83% of organizations studied have had more than one data breach.
• 60% of breaches led to increases in prices passed on to their customers.
• 79 of critical infrastructure organizations didn’t deploy a zero trust architecture.
• 19% of breaches occurred because of a compromise with a business partner.
• 45% of breaches were cloud-based.
• The average cost of a data breach was $4.35m.
• The average cost of a ransomware attack, not including the cost of the ransom itself, was $4.5m.
• 19% of breaches were caused by stolen or compromised credentials.
• The average cost savings associated with Incident Response Governance, regularly tested Incident Response plans and Incident Response Teams was $2.66m.
• The average cost of a data breach in the United States, the highest of any country was $9.44m.
• The average time to identify and contain a data breach was 277 days.

This last fact is the big one.  The average time to identify and contain a data breach was 277 days.  This is just an average.  How many news reports have you read this past year about data breaches being reported that had been ongoing for over a year or more?

Another industry report I pay attention to is the Version Data Breach Investigations Report (DBIR).  The Version DBIR 2022 tells us that:

• 82% of breaches involve a human element, including social attacks, employee errors and misuse of systems and data.
• There has been a 13% increase in Ransomware breaches, more than the last five years combined.
• 62% of system intrusions involved threat actors compromising business partners.

These facts should be alarming to you.  82% of data breaches occurred due to a person making a mistake.  Ransomware breaches continue to increase.  62% of digital systems intrusions originated with a business partner.

If you are a Board member, executive, director, or manager of a small, medium, or large business enterprise, you should be alarmed and concerned enough by this information to at least ask some questions within your organization to determine if you are Cyber Secure or Cyber Insecure!

In my next post, I will speak about Cyber Risk from the perspective of Business Risk.

Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s.  He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.