Cyber fraud and data breaches are rampant in the U.S. and internationally. The number and the level of sophistication of the cyber-attacks are increasing at an alarming rate. Both nation-state cyber-attack groups and criminal cyber-attack groups are often working together deploying an ever-expanding array of social-engineered cyber-attacks, including:
• Spear-phishing attacks
• Business email compromise (BEC) attacks
• Ransomware attacks
• Distributed denial of services (DDoS) attacks
• Trojan-horse malware attacks
The impact to both the public and private sectors is real and significant, creating huge financial, operational, and reputational risk factors for organizations worldwide. According to the U.S. Security Exchange Commission (SEC) the average cost of a cyber data breach is now $7.5 million. Likewise, the average cost of cyber liability insurance coverage has increased by 30% or more each year for the past several years. Further, with the tremendous growth of the Internet of Things (IoT), there has been a 600% increase in the number of cyber-attacks on IoT connected devices in the past year, especially focused on medical devices.
The expanding use of the Internet and software applications have dramatically increased the potential number of vulnerabilities within information systems, networks, software, and their respective endpoints to potential fraudulent actions such as identity theft, identity fraud, business email scams, and cyber data breaches. The information considered most valuable to hackers include: intellectual property (IP), personal identifiable information (PII), protected health information, (PHI), and payment card information (PCI).
The Growth of the Cybersecurity Marketplace
The cybersecurity marketplace has rapidly expanded to become a $100 billion annual industry, offering a wide-range of cybersecurity hardware/products, software, and professional services. Today, there are an incredible number of companies offering cybersecurity technologies, products, and services, often claiming to have the solution to one or more of your cybersecurity needs. Unfortunately, no one product or service can provide a magic solution to this multi-faceted, ever evolving, and highly complex information security global set of challenges.
Cyber Fraud & Data Protection – Top Ten Challenges:
Based upon our experience with hundreds of companies worldwide, across all industries, the following are the most significant cyber fraud and data protection challenges faced by most organizations in both the public and private sectors:
1. What are the best methods or tools to identify, track, and maintain all data/information assets with appropriate information governance, data mapping, and cybersecurity?
2. How can an organization cost effectively and efficiently verify identities and control information access?
3. What are the best methods, tools, techniques to manage third-party/supply chain partners compliance with evolving cybersecurity and data privacy regulatory requirements in the U.S. and internationally?
4. What is the best method to effectively deliver timely cybersecurity and data privacy education and training?
5. Should an organization invest in acquiring new information security hardware, software, and resources to enhance cybersecurity or outsource to a proven Managed Security Services Provider (MSSP)?
6.Who should we turn to for advice after a major cyber data breach occurs within our organization?
7. What actions should an organization take to ensure they comply with all the current regulatory requirements for their industry and geographic location, plus all customer contractual requirements?
8. What proactive actions can an organization take to mitigate insider threats and fraud?
9. What is the best approach to ensure an organization has developed an appropriate business continuity plan?
10. How much cyber liability insurance coverage is sufficient?
Threat-based Cybersecurity Approach – Top Ten Best Practices:
We highly recommend a threat-based cybersecurity approach to combat cyber fraud and mitigate costly cyber data breaches, including the following actions:
1. Hire an independent firm to conduct some or all of the following cybersecurity advanced diagnostic assessments:
- Email cyber-attack assessment
- Network & endpoint cyber-attack assessment
- Vulnerability assessment
- Penetration testing
- Spear-phishing campaign
- Red-team security assessment
- Security software tools assessment
2. Hire a dedicated Chief Information Security Officer (CISO) who reports to the CEO or General Counsel to develop a sound cybersecurity and data privacy risk management program tailored to the specific cyber threats facing your organization.
3. Implement advanced software encryption with multi-factor authentication (MFA) including biometrics.
4. Provide timely and effective cybersecurity education and training programs for the entire organization from the top to the bottom.
5. Implement a timely and effective software security patch management program.
6. Ensure the organization has developed and implemented an appropriate information governance program to map and track all data assets.
7. Verify and periodically test the organization’s incident response plan.
8. Develop and periodically test the organization’s business continuity plan and disaster recovery plan.
9. Conduct or outsource managed detection and response (MDR) of the organization’s information system, network, endpoints, software applications, and email system – 24 X 7 X 365 using the most advanced machine learning/ artificial intelligence applications.
10. Verify the organization’s compliance with all cybersecurity and data privacy regulatory requirements via independent compliance/risk assessments by qualified firms.