As we embrace a new year, we want to bring our "A" game when it comes to having the reputation that customers can trust their personally identifiable information (PII) with. Everyday we read another headline about a new breach or some sort of cyberattack whether it be another local government dealing with ransomware or someone's PII being breached, exposed usernames and passwords or more. Consumers are becoming more skeptical of giving out PII and for good reason.
Data breaches continue to increase year after year but one interesting change for 2019 is that there were not any data breaches quite the scale of Equifax or Target like previous years. Larger corporations may have wised up and finally tightened up their security and adopted a well-rounded cybersecurity plan to prevent such an attack on them.
Ransomware has been hot this past year. More than 70 state and local governments across the U.S. were hit by ransomware attacks in 2019. Atlanta was one of the few to pay the $2.6 million to restore its systems vs. pay the $52,000 ransom. Many have purchased cybersecurity insurance and can pay a deductible and come out spending even less in such an event. However, this upfront savings is costing everyone down the road. The attackers are on to this and know that entities are paying up and attacks continue to increase in amount as well as number of attacks. If we continue down this path, I fear what is in store for 2020.
GDPR fines are really hitting businesses and they can be very steep. Facebook is facing over $2 billion in fines and the breach involving the British Airways from 2019 is $230 million. Putting out the fire from the press is an entire other ballgame with it's own associated costs. The British Airways involved a 3rd party Java script service on the company's website that became infected. So, the lesson learned is that a data breach caused by a 3rd party can have significant impacts. Third party risks are potentially the most challenging because it can be challenging to have full transparency. Think carefully about what you are doing to ensure your 3rd party vendors are vetted and use the same level of security controls as your company. Require these vendors to to go through tests and audits to check their security behaviors.
Phishing still remains as the largest attack vector. According to the 2019 Verizon's Data Breach Report, 32% of data breaches involve phishing. This supports the idea that attackers will go for the lowest hanging fruit. Getting one employee to click on a malicious link is all it takes. The solution is simple. Phish and train your employees to recognize such attack vectors.
Malvertising may not have been huge in 2019, but expect it to increase in 2020 as the election campaigns start hitting hard. Besides ads with false information to voters, election ads may have malicious payloads delivering malware. Be vigilant about what sites you trust to click on.
In the blink of an eye, 2019 will be past and we will be starting a fresh new year. Let's use this opportunity to really embrace security awareness training, phishing exercises and penetration testing to test both our weak spots and those who we contract work with. Our business reputation is everything and people are losing trust faster than ever with companies when they read about their information being breached in the news. Be the company customers can trust their information with.