In an election year, everyone asks the question about whether or not you are better off than you were four years ago. There are many ways to answer such a question, and various people make arguments from various angles and data points.
Now, more than half way through the year, hardly anyone could claim that the data breach crisis has improved. Even of the number of reported breaches declines to some degree or the total number of records lost to an attacker is somewhat smaller, the specter of loss remains formidable, according to LightCyber.
In addition, enterprises and organizations hardly seem better equipped to solve the problem of a motivated attacker getting into their network and working in stealth to steal or damage assets. If each data breach headline in the news is a wake-up call, most companies are still sound asleep.
Is mass complacency the problem? No one cares about a breach, and it’s just a fact of life? Or is there just a resignation that nothing can be done to thwart an attack, so cyber-insurance and a smart response plan is the best one can do?
It’s hard to imagine that complacency is the issue. The states get continually higher for breaches. Lately the SEC, FTC and other regulatory bodies are making sizable moves that indicate that penalties for a data breach will start to soar. Courts have been ruling to make victimized organizations responsible for all damages, and they have allowed class action litigation to pool plaintiffs’ complaints into more sizable amounts.
It is also clear that brand damage and loss of customers comes as a result of a major breach. Over 150,000 subscribers dropped TalkTalk, the British telecom provider, in the months following its breach, contributing to a revenue shortfall. The mobile provider disclosed $80 million in losses due to customer churn.
Speaking of losses, it is not just PII and financial information at stake. There is growing acknowledgement of intellectual property loss or compromise and theft of company or trade secrets. The Panama Papers incident earlier this year points to what could be possible. Imagine the devastating loss that law firms and their clients could experience when an attacker takes all and holds it for ransom or posts in in some public forum.
Clearly, things are not getting better. At the same time, most organizations are no closer to solving the issue than ever. Existing security tools are obviously not up to the task. Even with the best next-generation gear and well-established policies and rules, attackers get into a network as though the perimeter didn’t exist. Legacy vendors claim incremental benefits that don’t even come close to solving the real problem.