Not to be the bearer of bad news but the U.S. government’s cybersecurity situation is frighteningly bad. Sobering statistics from Wired’s “The Bleak State of Federal Government Cybersecurity” include: 74 percent of the 96 federal agencies that were assessed are labelled as “at risk” or “high risk”, and an astonishingly high 38 percent of all government-related cybersecurity incidences do not produce any answer as to how a breach occurred.
“That’s definitely problematic,” says Chris Wysopal, CTO of the software auditing firm Veracode. “The whole key of incident response is understanding what happened. If you can’t plug the hole the attacker is just going to come back in again.”
The government’s “Risk Determination Report and Action Plan” lists four recommendations to improve the situation:
- Create accountability
- Increasing awareness
- Implementing existing government guidelines and frameworks
- Consolidating and standardizing defense to use resources more efficiently
On a positive note, the report discusses ways to reduce risks over the next 12 months, but it’s not clear how these recommendations can or will be put into action.
SMBs need to up their cybersecurity game
In many ways, small- and medium-sized are the lifeblood of America’s economy. According to the SBA Gov 2016, there are 28.8 million small businesses, which accounted for 99.7 percent of U.S. businesses. Unfortunately, being an SMB generally means that your company has limited resources and limited IT capabilities.
Some sobering statistics from the 2018 Hiscox Small Business Cyber Risk Report include:
- 47 percent of small businesses suffered at least one cyberattack in the past year, yet only 35 percent of them took action following a cyber security incident to mitigate against another
- Only 52 percent of small businesses have a clear strategy around cyber security
- 21 percent of small businesses have a standalone cyber insurance policy, compared to 58 percent of large companies
Are you getting the picture?
As noted in the Insurance Journal article, “Small Businesses That Ignore Lessons from Cyber Attack Likely to Suffer Another: Hiscox,” small businesses estimated their average cost for incidents in the last 12 months to be $34,604. Among large companies (more than 1,000 employees), the annual average cost of cybercrime was $1.05 million, according to the report.
The report highlights three broad areas that SMBs should consider when it comes to cybersecurity: prevent, detect, mitigate.
Ask the experts
For those companies that are looking for insights into how to approach cybersecurity issues for their company’s board, InfoSecurity published an interesting article titled “Ask the Experts: How to Win Cybersecurity Buy-in From the Board.” Executives from Coalfire, London Digital Security Centre (LDSC), and CyDefe Labs offered different perspectives on the topic.
One key element, according to Chris Diogenous, Chief Commercial Officer at the LDSC, is that “Cybersecurity needs to be communicated as a business risk, not an IT issue. By framing it this way, business leaders can understand it far easier. Governance, risk and compliance are processes which board members understand and have used time and time again.”
Recommendations also include realizing that your board may not understand IT and cybersecurity issues, and understanding that boards are designed to develop strategy and provide updates to shareholders, not dive into the details of cyberthreats.
Partner blog posts of interest
- Sword & Shield: Using Root Cause Analysis After a Cybersecurity Incident
- AlienVault: Common Scams
- Splunk: Zero to MOPS: Q&A With Brian Goldfarb and Renaud Bizet (Part 1)
Author: Brian Edwards, News Editor
Brian Edwards is a Vice President at McKenzie Worldwide, a high-technology public relations, social media and brand development agency, and serves as the Cyber Oregon news editor. He has more than 25 years of high-tech public relations, social media and journalism experience.