Each year we see statistics on the growing field of Cybersecurity. These facts and figures help provide a picture or snapshot of the evolving landscape. Here are a few highlights that are sure to be part of the 2018 Cybersecurity trends commentary.
1. Data Breach Costs; Lower Cost Per Record but More Records Breached
Cybersecurity inherently is a field with a large amount of pessimistic news. It’s rare to hear a story or read an article about “good news” in Cybersecurity. But we want to try and highlight positive or “good news” in the industry. According to the 2017 Ponemon Cost of Data Breach Study, The cost per record of a data breach has “signiﬁcantly decreased from $158 in 2016 to $141 in this year’s study.” That’s good news. There are some that attribute this to improved incident response times. But wait. Statistics are often interrelated. What is accounting for the decrease in cost per record? In the same study it says “companies in this year’s study are having larger breaches. The average size of the data breaches in this research increased 1.8 percent to more than 24,000 records.” Just when we thought there was good news . . .
2. Cybersecurity Skills Shortage Keeps Growing
We expect this trend will make consistent headlines for years to come. It takes time to bridge a gap; especially a growing problem. The Enterprise Strategy Group (ESG) prepares an annual survey covering North America and Western Europe. They systematically question organizations on where they have a “Problematic shortage of Skill.” Since 2014 the top answer has been Cybersecurity. The shortage has grown every year. This is a trend that will continue for the foreseeable future.
2014 – 23 %
2015 – 25%
2016 – 46%
2017 – 45%
3. Ransomware Increases
There is a lot of current speculation on how far the ransomware epidemic will go. Combining two trends, at what point will we have “Smart Household Appliances” held for ransom? It’s possible now, it’s only a matter of time. Worse would be ransomware for pacemakers or something life sustaining or threatening. In the August 2017 MIT Technology Review, Simson Garfinkel wrote regarding self-driving vehicles, “These vehicles will have to anticipate and defend against a full spectrum of malicious attackers.” Opportunities for ransomware will increase with the addition of the “smart” car, fridge, or phone in our lives. In the future, you could lose your dinner, your ride, your phone access, and have your life threatened all in one day. We need to better educate workers, CEO’s, citizens, and grandmothers, about how to spot and defend against ransomware. Maybe it’s time for Security Awareness training starting in K-12 education and continuing through life.
4. Increased Government Oversight
We haven’t seen as many articles on governments response to cybersecurity threats but they are starting to sit up and take notice. Government is lagging because the industry is evolving quickly and government wants to think about it and work out a solution. They are missing it entirely because they inherently don’t move fast enough. The WannaCry breaches of the Microsoft X platform are an example of this. Many specific agencies in different European countries were compromised, for a failure to understand the issues in a timely manner.
Organizations who work with the DoD in the US have been trying to get up to date with the NIST 800-171 requirements. Those who don’t comply risk losing their lucrative contracts with the government.
The National Cyber security Strategies (NCSS) in the UK is making regulations that include making suppliers themselves liable for breaches and being measured against a security rating system with results published where everyone can see. It’s only a matter of time, before the U.S. adopts a similar type of legislation.
The EU’s General Data Protection Regulation (GDPR) is coming into play May 25, 2018. The regulations define fines for companies that do not comply with regulations. Colin Tankard, managing director of Digital Pathways, predicted that, come May 25, only 10% of companies would be compliant and some companies could close because of their lack of preparation and the fines incurred by this legislation.
We expect that public concern will increase government efforts to hold non-secure organizations liable for breaches and increase interest in holding companies and organizations responsible for maintaining minimum standards of Cybersecurity.
In all, there will continue to be a broadening of scope for cyber criminals. There will be increased need, both in Industry and government, for workers educated in cyber security; at basic through expert levels. We need to prepare ourselves for the cyber environment of the future.