While countless companies have found themselves in the headlines after being breached over the last decade, there are also many companies we never hear about. Why is that? What makes them so unique that they were never successfully breached before? Is it that they have top of the line security technology? Is it that they don’t have assets that attackers care about? Or is it that they’ve just gotten lucky thus far? None of those common misconceptions are likely the true reason. Here’s a perspective on the reality of the belief that some companies are simply so good that they’ve never been breached before:
They’ve likely been breached, and just don’t know it yet. 2018 report disclosed that it takes companies an average of 197 days to detect a breach. That’s over half of a year in which cyber attackers have likely had access to a company’s network and assets.
In some cases, this kind of activity has remained undetected for several years. Any companies who say they’ve never been breached, regardless of size, likely don’t have good security, and they most likely have significant visibility problems. Also, there is probably a misconstrued view of what a breach really means. Remember that technically, a security breach can be something as small as an employee sending a file with customer information to their friends’ email address so that they can get help with an assignment. Data that shouldn’t have left the organization’s control did, which is a form of breach. Alternatively, a breach could be as significant as the mega-breaches we hear about regularly in the news, where sometimes hundreds of millions of records have been exposed. The bottom line is that almost every company, at some point, has had their security breached in some way.
Most companies won’t admit they’ve been breached. As much as you see breaches in the headlines, this is a small subset. We tend only to see the companies that are legally obligated to disclose a breach impacting consumers. Though some may disagree, that’s probably a smart choice when done ethically.
- This happens day in and day out, and companies can avoid having to publicize it if they play their cards right. For example, if an employee loses a laptop that has all of your customers’ data on it, if it’s encrypted and unreadable, you’d be in better shape from a disclosure standpoint than if it was wide open for anyone to view. This means that just because we haven’t seen a report, doesn’t mean a breach has never happened. Companies don’t do this to be secretive; it’s merely a part of managing the incident.
- If a company has been breached, you can rest assured more attackers will swarm looking for additional holes in the company’s security, and more attacks will likely happen. We’ve seen that in many cases where the same company underwent a series of attacks back to back (think Anthem Health, for example). When legally permissible, it’s not in the best interest of companies to share this information. Also, there is always a concern for the reputational impact that such an announcement could have.
For some actual data breaches requiring disclosure, it’s not that it didn’t happen – it’s that sometimes companies try blatantly to cover it up. Coverups seldom end well – as we saw in the case of Uber. In 2016 the famous ride-sharing company, Uber, experienced a concerning breach of security. The mishap resulted in the exposure of 57 million Uber customer records and cost the company an estimated 148 million dollars. It’s alleged that the company paid the attackers $100k to delete the data and cover up the attack, before eventually admitting to the breach publicly about a year later. Several executives separated from the company in light of the attack, and the company suffered both financial and reputational damage what’s worse than being breached, getting caught covering up the breach. Activities like this have led to the continuous evolution and growth of regulatory requirements associated with cybersecurity and the protection of consumer data, as well as hefty consequential fines for non-compliance.
There is a positive side to being breached – what doesn’t kill you only makes you stronger. Every company will have their security breached at some point. The key is not to let the breach kill you and ensure you’ve learned from the lessons. While many companies haven’t yet seen a mega data breach, attackers break into companies quite often, and incidents can help us amass lessons learned to prevent the risks from evolving into more substantial breaches. Ideally, you’d want to learn these lessons by watching other companies and not become the poster child, but either way – the industry learns and grows as a result of such events.
If you’ve genuinely never endured a significant breach – keep up the good work! Some companies indeed have never suffered a successful data breached in a way that requires public disclosure. These are a group of not lucky, but likely diligent companies. They’ve paid attention to and invested both money and other resources to create a robust cybersecurity strategy that addresses risk through secure processes, the right people, and the appropriate technology stack. Attacks, however, are continually evolving, and those companies should never get too comfortable.
However, when it comes to Insider Threats, if you’ve ever had an employee leave your company, then statistics show that some of your data left with them. Without Employee Monitoring and User Behavior Analytics software, you have no prior warning to ongoing malicious activity or data theft when employees depart.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.