One of the largest data security risks for most organizations continues to be mobile devices. Each employee may have 3 or 4 endpoint devices – smartphones, tablets, laptops – which are connecting to the corporate network or contain sensitive data. Many of these devices are personally-owned, and whether supported by an official BYOD policy or not, these devices are increasing the potential points of ingress for cyber criminals. Given the scope of the threat, one would expect that managing the endpoint would receive greater priority within IT security, but data indicates even basic precautions are still being overlooked.
There was a time when IT security conversations were all about the network, with a focus on monitoring and controlling incoming and outgoing network traffic based on predefined security rules. By adding more walls and watching everything that entered and left the network, IT could safeguard corporate infrastructure and data. The endpoint was an afterthought—throw in some anti-virus, and maybe some encryption, then call it a day. Everything has changed.
Shadow IT, the use of technology systems and solutions without the explicit approval of the organization, can no longer be swept under the table and ignored. Nor should it be applauded, for while employees are showing initiative in embracing apps and technologies to improve their productivity, they do so by putting corporate data at risk. Shadow IT is happening right now in your organization, you just don’t know it. Your data is at risk, or could even be breached already, and you don’t know it. At least not yet.
The Ponemon Institute, on behalf of HP, released the 2015 Cost of Cyber Crime Study, which seeks to understand which cyber attacks are most common and most costly and which defences are most effective. Central to this year’s report is an awareness in the growing attack surface for cyber criminals to exploit, brought on by mobile and the cloud.
As we recently discussed, data breach legislation continues to be a moving target, with legislative changes pending in 32 States, not to mention Federal legislation and Global laws such as the EU GDPR, which have the potential to impact US organizations. Outside of this wave of legal requirements, there are industry-specific laws (HIPAA) and regulators who set standards and impose fines following a data breach, and these regulators are in flux as well. Within just the last year, we’ve seen the SEC and FTC both stepping up their game, and the same can be said for the Federal Communications Commission (FCC).
Statistics show that almost half of all organizations suffered at least one serious security incident / data breach in the past 12 months, a figure which grows year-to-year. Some estimates place the figure higher, closer to three-quarters of all organizations. In healthcare, the percentage of organizations who have suffered a significant data breach or security incident ranges from 68% of organizations in the past year to 91% in the past two years.
The average per-record cost of a data breach is $964.31, according to the fifth annual Cyber Claims Study by NetDiligence, which uses actual cyber liability insurance claims to understand the real costs of incidents, from an insurer’s perspective. The average claim for a large company was $4.8 million, though overall the average claim was $673,676 when weighted against the full spectrum of mostly-smaller organizations sampled. The insight shows, however, that high per-record costs are possible regardless of breach size.
In a world of mixed device ownership, including BYOD and COPE devices, there are legal concerns that extend beyond simply securing corporate data or providing access. From a legal perspective, one must also consider how these devices could be handled as part of a court case.