A new chart details how cybercrime ballooned in the past decade. Cybersecurity expert Ron Schlecht explains how even small breaches can cost enterprise and SMB companies millions.
Cybercrime has ballooned over the past decade, according to research by Philadelphia firm BTB Security. The company analyzed cybercrime data from 2005-2015 from the FBI, the FTC, the US Justice Department, Lifelock, and other information vendors and created an infographic that articulates how cybercrime evolved over the past decade .
READ: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
For SMBs and enterprise companies in financial services, healthcare, retail, and manufacturing BTB Security provides risk analysis and response tools and guidance. The company maps and reveals network security flaws, performs penetration testing, and advises clients on how best to respond to data breaches.
- The results of BTB Security's study confirmed what many companies have known for a decade or more: Cybercrime is expensive. Since 2005, the cost per breach has grown exponentially, from $24 thousand dollars to $1.5 million per incident.
- The identity theft industry more than doubled over the past 10 years, from 8.3 million in 2005, to 17.6 million reported cases in 2014.
- Ransomware has bloated in popularity recently. Once a sub-million dollar business, ransomware grew to a $24 million dollar industry in 2015, and continues to grow.
- Consumers are also affected by business data leaks. According to the company's research, in 2015 nearly 190 million individuals had personal data compromised by corporate hacks.
Ron Schlecht is a managing partner at BTB Security. He spoke with TechRepublic about how the company built the infographic, and how companies should respond to cyberattacks.
Explain what your company does, who your customers are, and how your technology works.
Quite simply, we break into places (legally), help companies increase their security posture, quickly figure out how people broke into places, and defend and detect the entire spectrum of cyber threats. Our three tenets are Assess, Detect, and Respond. We're a customer service company that happens to have depth and experience in information security....and we're genuinely nice people who are fun to work with. Typically, we work heavily in regulated industries like financial services, healthcare, retail, resorts, and entertainment, but there isn't an industry that doesn't have some type of security or privacy concern that we can't help with.
What is your methodology, and how was the infographic data gathered and compiled?
First, we decided what categories we wanted to look at, things like the rise of ransomware and the cost of cybercrime to US businesses. We began with eight or nine, then narrowed the list down to the five items on the final graphic--those that were most interesting to us and for which information was readily available. Then, it was a matter of answering those questions, relying on resources we already knew about, and mining information from some trustworthy organizations and websites, like the US Justice Department. We corroborated information from one site to another, and if the data was consistent in two different places, it made the cut. For a number of data breaches, we had to set parameters because all kinds of things would qualify, so we chose the number of consumer records compromised. That way, we could focus on the "high profile" hacks--the ones that make the evening news.
What should companies--SMBs and enterprise alike--do to protect themselves from data breaches?
When you really examine what needs to be done, it's quite simple: Know what is most valuable in your organization and what you're trying to protect, understand your security posture as it currently is, and dedicate the resources and focus to make progress. The execution of that is where it gets tricky. Organizations of all sizes have to rely on solid internal expertise, trusted external advisors, and ensure that executive management is on-board with the plan and execution of it. The strategic goal of security is a marathon, and the tactical pieces of security, which often dilute the focus of any organization, are the small sprints that must be managed wisely.
What is the best post-attack action plan?
Every breach requires an organization to mitigate the current threat first, then work on determining what vulnerabilities led to the attack, proactively closing those gaps, then performing a root-cause analysis to expose all of the issues that led to the security incident. Typically, we work with clients to close vulnerabilities and gaps as they're exposed during a breach. Recovery of operations and getting back to normal is the last phase, and is built from how the company was effected, but typically requires a full assessment of the technology environment and data to give a hygiene check, then closely monitoring every aspect of company technology operations. In my experience, post-breach action plans are pretty progressive, as the incident demonstrates how impactful a breach can be. Organizations formalize or strengthen their security organization, plan for more formal and rigorous assessments, and take steps to strengthen or outsource their monitoring and response capabilities.
How would you advise presidential campaigns like Trump and Clinton protect themselves from cyber attacks?
They are targets no matter what they do, because of the current spotlight on their campaigns. However, they can limit their attack surface by only exposing technology components that are absolutely necessary. While they do have interactive technology features of their organizations currently, the technology really empowers their marketing. Privacy and availability are the key concerns. So, again, understanding their current security posture, and dedicating appropriate resources and focus, would help ensure their resistance to a cyberattack. In addition, their resilience can be enhanced by monitoring every aspect of their technology ecosystem and having the ability to quickly respond to any incident and limit damage.
SEE: Guidelines for building security policies (Tech Pro Research report)
What do the next 10 years of cybersecurity look like?
I'll take my best "Jetsons' guess" of what 10 years may bring, but that's an eternity in security. The infographic that we recently put out documents some of the drastic differences in the number of events and types. I'll keep it to three, or I would talk for hours on this subject. The infrastructure that creates our digital world is aging, forgotten, and sometimes ignored. The problems will compound and end-of-life hardware, software, and processes will eventually create a vacuum of expense and time for those defending it. At the same time, I think we're going to see a real declared cyberwar. The nations, hacktivists, or terrorists are going to use the digital realm to inflict real physical harm. Lastly, hackers will continue to not just target large organizations, but target smaller and smaller organizations, and failure of organizations and countries to build up security talent will be a huge problem. We're already at a talent deficit, so you'll most likely see more reliance on managed security service providers.
- Getting started with Tails, the encrypted, leave-no-trace operating system (TechRepublic)
- Four misleading myths about the Dark Web (TechRepublic)
- How to safely access and navigate the Dark Web (TechRepublic)
- Review: 'Down the Deep Dark Web' is a movie every technologist should watch (TechRepublic)
- 10 things you didn't know about the Dark Web (ZDNet)