February 14, 2020 The Cyber Times

“What do you think, Chad? What concerns you the most about cybersecurity?”

The question hit me like the first ocean wave after wandering into the surf for the first time on vacation. It was shockingly simple, delivered with a straight face, yet somehow unexpected and for a moment, took my breath away.

Most of the time, people ask me questions like, “What should we do to prevent cyber-attacks?” They want to know, “How can we best protect ourselves from ransomware?” I’ve also heard, “What’s the best firewall or spam filter we could buy…what would you recommend?” I’m usually the one asking questions to learn how robust your disaster recovery system is and how well-prepared your organization would be in the event you suffer a data breach or find your computers being held ransom for bitcoin. But this time, the question was for me.

My answer to the question is guided by publications like Verizon’s annual Data Breach Investigations Report and IBM’s Cost of a Data Breach Report. My response is two-fold:

  1. The volume of email and ubiquity of email-based attacks; and
  2. the high cost and last impact of a data breach.

To give some perspective, let’s break this down at my organization. In a firm of roughly 100 people, between 8:00 AM – 9:00 AM on February 6, our email volume was as follows:

  • Internal emails: 357
  • Inbound emails: 339
  • Outbound emails: 124
  • Total email volume: 820

This means that in just one hour, we sent or received over 8 times the number of emails as we have people in the organization. Since we can no longer disregard internal emails as a threat vector, that means we had 820 opportunities for compromise in only that one hour of that one day.

In Verizon’s report, this image shows data received from millions of malware detonations and illustrates that the median company received over 90% of their detected malware by email.

 

 

 

This is probably my biggest concern because email is such a tried and true method of attack and all it takes is one malware infection to set a company back for weeks or months. I’ve heard some people say that the bad guys have to be right only once, while those protecting organizations need to be right 100% of the time.

My second largest concern is the high cost and lasting impact of a data breach. According to IBM’s research, the average cost of a data breach increased to $8.19M at the time of their report last year. Based on global averages, this is ~$4.2M higher than the rest of the world combined. This is highlighted in the graphic below.

While this cost is astounding, businesses are struggling to keep up with how to prepare for an event loss scenario that includes a data breach. Do they have the right insurance? Can they recover if attacked? But it’s not just about short-term recovery.

Another stand-out statistic from the IBM report shows that while an average of 67% of breach costs came in the first year, 22% are accrued in the second year and 11% occur more than two years after a breach.

Additionally, one of the key findings in IBM’s report was “Lost business was the biggest contributor to data breach costs.” This means that the loss of customer trust was not just a single factor, but the biggest factor impacting financial losses for a company that suffered a data breach.

These are the concerns that keep me up at night. This is what drives our CTG team in helping clients protect themselves and their customers. A single cyber incident can bring an organization and its people to their knees. These kinds of losses are not imaginary and the impact on people’s lives is tremendous.

Last week, a colleague asked me about a suspicious email. I responded that it was a scam and he should ignore/delete the message and contact the owner of the compromised mailbox via phone. He still clicked on the malicious link and even attempted to enter his credentials on a phishing page. In the end, no harm was done, but it amazes me how much trust we place in the emails we receive each day.

When we truly consider the potential impact our actions have on people, it can aid in our collective endeavor to stem the tide of unrelenting cyberattacks that threaten us all daily.

Here’s a solid email screening mindset for handling each email you receive:

  1. Realize that bad emails still make it past your spam filters
  2. If you’re not actively expecting a link or attachment
    • Don’t open the link or attachment (even if from a trusted source)
    • Verify by phone with the sender (this builds trust/rapport)
    • Alert your IT department if you suspect a malicious email

Thanks for reading and stay cyber-safe out there!

Is your business cyber-safe?

Check out our latest Cyber Survey to see how your business stacks up against the rest.  CYBER SURVEY

Want to know more about what you can do to prevent cyber-attacks? Contact Us to discuss how your organizations can be better prepared in the event of a cyber-attack.

About the Authors

Subscribe

Stay up-to-date with the latest news and information delivered to your inbox.

Subscribe Now