Cyber Security State of the Union – Are We Better Off?



by Dave Thompson

We are in the middle of another election year, and politics are flying high. The future is unknown and many questions remain unanswered.  A natural question to ask is, “are we better off than four years ago?”   One thing is certain, with regard to data breaches, things have definitely not improved. As a matter of fact, it seems like there are more breaches and attacks than ever before. Numbers vary, depending on what story we read or report we rely on.  Either way, the potential for loss remains daunting.  Enterprises and organizations hardly seem better equipped to solve the problem of a motivated attacker getting into their network and working in stealth to steal or damage assets. If each news-grabbing data breach headline is a wake-up call, then most companies are in a deep asleep.

Why is this happening, is mass complacency the problem? It seems that no one cares about a breach, rather it’s becoming an accepted part of our lives.  Are we resigned to the fact that nothing can be done to thwart an attack, so cyber-insurance and a smart response plan is the best one can do?

It is doubtful that complacency is the issue. The stakes grow continually higher for breaches. Lately the SEC, FTC and other regulatory government bodies are making sizable moves that indicate penalties for a data breach will soar. The EU is increasing administrative fines for data breaches of up to 20 million Euros or four percent of revenue, whichever is greater. These fines are in addition to costs and damages. Perhaps similar fines in the US are not far away, but global companies would face these European penalties. Such an expense would likely be material.

There is no doubt that brand damage and loss of customers occurs as the result of a major breach.  For example, more than 150,000 subscribers dropped TalkTalk, the British telecommunications provider, in the months following its breach, contributing to a revenue shortfall. The mobile provider disclosed $80 million in losses due to customer churn.  If we point at overall loss, it is not just PII and financial information at stake, there is growing acknowledgement of intellectual property loss or compromise and theft of company or trade secrets. The Panama Papers incident earlier this year points to the extreme damage that is possible with a savvy attacker. Imagine the devastating loss that law firms and their clients could experience when an attacker takes all and holds it for ransom or posts in in some public forum.

Interestingly, there has been a recent industry test report that actually claimed up to 100% effectiveness for security systems to prevent breaches. Are you kidding? Does anyone in security still believe that there is a way to keep attackers from getting inside their networks? Isn’t this the kind of denial mentality that is responsible for such broad failure throughout the security industry?

So, it may be an election year, but clearly, things have not improved in the last four years.  It’s past time to move beyond the rhetoric. Attackers can get into any network. Will we let them explore, move around and help themselves to the most valuable company assets? Can we admit that a new way is needed to detect active attackers that can find them early before they have a chance to steal or damage assets? Or maybe we let politics rule the day.

Dave Thompson is the senior director of product management at LightCyber.

Leave a Reply

WWPI – Covering the best in IT since 1980