Bridging the Data Breach Confidence Gap
Confidence is a beneficial trait to have, but an excess can get you into trouble. As I’ve said before, companies who overestimate their cyber protection capabilities leave themselves open to a rude awakening when a security incident strikes. Despite Gartner’s prediction of $90 billion spent on security this year, this false expectation continues to be an issue.
Among the more disheartening facts of a report from enterprise security company Gemalto is this: 94% of respondents think their perimeter security is very effective at protecting the network against unauthorized users. At the same time, 28% have seen these perimeter defenses breached in the past year. Talk about damning, though: 14% say they wouldn’t even trust their own organization with their sensitive data.
Gemalto refers to this overconfidence as the breach gap. Jason Hart, the company’s CTO and VP for Data Protection, attributes this breach gap to a lack of understanding, especially at the executive level, of the motivations and security particulars involved in breaches.
Overconfidence has also been a rule of thumb for smaller businesses for years. Entities of this size have often believed they would not be likely hacking targets. Lacking the resources and staff to efficiently monitor or improve their security, they generally lag behind on this front. And yet, 2016 saw 61% of data breaches affect companies with 1,000 employees or fewer—in many cases, analysts say, precisely because of their data protection shortcomings. Whether through application vulnerabilities, ransomware schemes, or employees looking to use stolen information for their own advantage, many faced significant revenue loss as victims of a breach.
The Equifax breach, in addition, seems to have spurred many into action. Companies that provide security products and services to these businesses report numerous calls from customers since the news broke. According to Bob Herman, owner of IT Tropolis, one such customer wanted “to replace their one remaining XP computer,” for which Microsoft stopped providing updates over three years ago.
Perhaps a silver lining of these mega breaches can be that they force more organizations to take notice. Strides might have been made so far, and spending may be up, but it’s not enough. With more focused financing, and concentration on basics like encryption, key management and multi-factor authentication, let’s try to get that one-in-seven percent of people who would trust their own organizations with their data up to two-in-seven.