Another day, another malicious cyberattack? It sometimes seems that we can barely move for headlines about severe corporate data breaches, all too often caused by criminals exploiting existing vulnerabilities in an organisation’s network or processes, or even their security posture and approach.
And the cost of such incidents is not insignificant. The well-respected annual Ponemon Cost of Data Breach Study reported in 2015 that the average total cost of a data breach for a US company is $3.79 million, a figure that has increased heftily since the report began.
Where does this cost come from? The collateral damage from a severe cyberattack can include:
It is impossible to completely avoid being a target for cybercrime. Indeed, as the Internet of Things (IoT) landscape flourishes and the networks that corporations are part of become ever more complex. Consequently the attack surface is increasing and possible vulnerabilities for criminals to seek out increase and increase. Robert Mueller, former director of the FBI, has argued: “There are only two types of companies: Those that have been hacked, and those that will be.” The days of firewalls and anti-virus software being enough to thwart attacks are long gone.
But there are some principles that all businesses should implement to ensure that their risk is minimised, and that if and when an attack does take place, less information is readily available to be stolen.
Firstly, data security should always be built into a corporate infrastructure from the outset, rather than ‘bolted on’ later. This helps minimise the accidental network vulnerabilities that are all too often cyber criminals’ easiest route in.
Secondly, information should be protected from the moment of creation, rather than separately once it enters transit or storage. This is the principle of true end-to-end information security, increasingly a priority in a world of mobile-to-mobile (M2M) communications.
Thirdly, information security tools and processes should be data-centric, so as to cope with the heterogeneous device landscape that characterises the IoT. It is impossible to depend on every separate IoT manufacturer to build watertight security into their devices, especially when new ones are added to networks every second. A data-centric approach leads with securing information, not devices.
These principles have informed the development of Device Authority’s Data Encryption Security Platform, a true end-to-end data protection, privacy and encryption solution. We cannot guarantee that cyber criminals will never target your business – but we can certainly make life very difficult for them if they try.