Countless cyberattacks have landed in the media spotlight over the past few years and while the increased attention has made more businesses aware of the issue, one expert says relatively few fully understand their own exposure level.
“While business leaders are aware of attacks, they remain woefully unaware, by and large, of the structure, data content, function, and connections of their own digital networks,” says Ray Rothrock, CEO of cybersecurity analytics platform, Redseal. “This means that they have little or no idea of how secure or insecure their enterprise is.”
Until businesses do understand their own digital infrastructure and the status of the data carried on that infrastructure, it is impossible for them to be aware of the risks they face from a cyberattack, warns Rothrock.
“Put bluntly, to properly defend and be resilient means that companies must know their network better than their hacker adversaries do,” he says.
According to Rothrock, exposure is the collision of internal vulnerability and external threat.
“Practically speaking, it is impossible to overestimate the external threat,” he says. “There is no denying that highly connected businesses work in a very dangerous neighbourhood.”
What most businesses underestimate, he says, are the dangers posed by problems in their own networks such as inadequate knowledge of hardware and software insecurities, an incomplete knowledge of who connects with whom and what, inadequate prioritisation of data assets in terms of security versus accessibility, and inadequate training of employees in safe computing, digital hygiene, and responsible data stewardship.
“The risk is a breach, which may result in the theft of intellectual property, of financial records, of personally identifying information of employees, customers, clients, and other stakeholders, and the theft of credit card and other financial information,” he says.
However, a breach may also result in various forms of business-interrupting sabotage, the most common of which is a distributed denial of service attack (DDoS), which can knock a company out of business for a period.
“The cost of a breach varies tremendously, but the average total cost of a single data breach in 2017 has been calculated at $3.62 million,” says Rothrock. “Some breaches cost much more, and some of the costs are literally incalculable. How much, for instance, is the enduring cost of a reputation damaged or destroyed?”
Employees, unsurprisingly, are the principal risk to any enterprise. In fact, a 2017 survey from Willis Towers Watson found that 90% of cyber risks are caused by human error and 66% of breaches are caused by employee negligence or employee malice or criminal behavior.
“The most common act of employee negligence does not occur online, but in the ‘real’ world: an employee leaves a laptop in a public space or loses a thumb drive,” says Rothrock.
“In other words, most employee lapses are low-tech human error. Take this cause alone, and you have the key motive for creating digital resilience. There are still significant instances of insiders who maliciously breach internal systems, but human error—including falling prey to phishing scams—is the number one employee-caused risk.”