The Inmates are Running the Asylum: Why Cyber-criminals are Winning.

I could tell you about the most recent incidents of cyber threats in the news, but with the explosion of cyber threats there would be little value in citing just a couple of cases. The shocking reality is that there have been literally thousands of actual breaches that have NOT been reported to law enforcement in just the past 12 months. Statistically speaking, only about 33% of all breaches are actually reported to law enforcement.

The way I see it, there are really two big questions to ask about these facts. First, “what are the common denominators and what can I possibly do to defend my company or myself against this global cyber-crime epidemic?” The second question is “if only 33% of all breaches are being reported, what’s going on with the other 67%?”

Let’s examine first what’s going on with 67% of those unreported breaches shall we?

A recent study conducted by the US Secret Service concluded that:

  • 48% of breaches were caused by insiders which means employees and trusted business partners: If the Secret Service is providing this information, it is clearly from the reported 33% which if when applied to the unreported Breached would suggest that a similar percentage should be applied.
  • 96% of breaches were avoidable through simple or intermediate controls: Now that is a number that should give us all hope. It means that only about 4% of the Breaches would take very sophisticated controls and a certain measure of professional despair.
  • The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record: This is a great fact to use when promoting change within your organization. Keep this number in mind when formulating your Annualized Loss Expectancy otherwise known as ALE.

I think that the research suggests the following:

  • 67% of security professionals are unqualified to the job? Even across the Internet as you read this I can read your mind. Right now you are thinking “baloney Michael! I’ve got my CISSP or I’ve got my PhD so I’m perfectly qualified to lead security for my company.” Well my friends, I have my driver license and yet I still get speeding tickets! Does that mean I’m not qualified to drive a car? Not necessarily. What it probably means is that I am not following a plan to avoid speeding tickets or implementing controls to prevent myself from speeding. The same principle does apply to corporate security. The bottom line is that unqualified and untrained security personnel will clearly create poor security programs for their organizations. If they don’t understand the issues, then they can’t determine the most effective ways to secure their organizations.
  • 67% of organizations do not support security? This may be true but I think that organizations take security seriously when the risks are clearly framed in reality and perspective with the line of business we are protecting. When we think about what “simple or intermediate controls” really means, it really indicates that 67% of us are not applying fundamentals to security. What does it really cost to conduct an IT security risk assessment? What does it really cost to implement a comprehensive set of realistic and sustainable policies? Just these two activities will almost eliminate 96% of Breaches.

I wrote an article a while back called The Death of privacy where I suggested that the burden of security and privacy belonged more with the data handlers than it did with the individual. I know for a fact that a troubling number of the companies that I have either worked for directly or have consulted with directly who handle your private and sensitive information are really just not up to the task and you are a breach away from having your identity, personally identifying information or financial information stolen. At this moment, there are few laws and regulations in the world that would hold these companies and their negligence accountable to you and your compromised identity. Right now, the best decision you can make is to enlist the help of real experts in this fight against identity theft, financial fraud and cyber-crime that continues to be the number one consumer complaint.