CDW recently partnered with IDG Research on a risk mitigation study that came to a startling conclusion: 46 percent of organizations have experienced a serious security breach, and an additional 22 percent experienced a “near breach.” Stop and think about that for a moment. More than two-thirds of organizations either suffered a breach or narrowly avoided one — and those are just the breaches that were discovered. It wouldn’t be surprising to discover that many of the remaining organizations experienced an undetected breach.
The study revealed some other interesting findings that provide insight into how organizations view cybersecurity.
Business Leaders Take Cybersecurity Seriously
When I think back five or 10 years, I recall an era when most organizations’ experience with a security beach was a virus infection that took the network down for a few hours. These incidents caused the IT staff to run around with their hair on fire for a little while, but had little long-term impact on the business. While the IT staff considered these breaches serious, they typically didn’t amount to much more than a minor annoyance for business leaders.
Today, we use the word “serious” quite differently when we think about security breaches. These days, a serious breach involves the theft of sensitive information, destruction of data via ransomware or the loss of financial assets. We’ve now entered an era where IT and business leaders mean the same thing when they use the word “serious.” The modern serious breach requires the CEO to appear before the board and can result in a significant loss of market capitalization.
Advanced Persistent Threats Keep Us Awake at Night
One other data point from the study piqued my attention: 34 percent of organizations ranked human adversaries as one of their top five cybersecurity concerns. This focus on the advanced persistent threat (APT) is consistent with what I’ve seen from our customers in the field. Most organizations already have a reasonable level of control designed to deter a casual attacker. They’re less well defended against a concerted effort from a sophisticated adversary.
One of my clients years ago was a heating, ventilation and air conditioning (HVAC) contractor that serviced cooling and refrigeration systems for commercial clients. One day, the company’s IT manager brought me into a meeting with the CEO to discuss cybersecurity risk. The CEO looked at me incredulously and said, “We repair air conditioners. We don’t do e-commerce, and we don’t accept credit cards. We simply don’t have any data that an attacker would be interested in, and we don’t have funding for security.”
I can’t help but think about that company every time I hear about the 2013 Target breach, one of the largest thefts of credit card information in history. The intruders in that breach didn’t directly attack Target. They compromised the security at Target’s HVAC vendor and then used that access to gain a foothold on the Target network. The bottom line is that organizations may believe they wouldn’t be an attractive target for an APT attack, but they still should consider the second-order effects: Can they be a stepping stone to a compromise at a customer site?
Cybersecurity risk remains one of the most pressing concerns of both technology and business leaders. Fortunately, many organizations are investing time and funding in security remediation to address these changing threats.
This blog post brought to you by: