Why are Data Breaches Increasing?

Contributed by: MNP

Cyber attacks and breaches are increasing with the rapid rate of digital adoption — and becoming more damaging. While companies are spending large sums of money to enhance the security of their digital investments, cyber attacks and breaches continue to succeed. Eighty-five percent of organizations suffered at least one successful cyber attack last year according to CyberEdge Group’s 2023 Cyberthreat Defense Report. What are businesses getting wrong with cyber security, and what needs to change to protect your organization from threats?

You need to reset your cyber security mindset to reduce risks as the digital landscape continues to transform. This will require leaders to prioritize security when adopting new technology, rethink cyber security’s position within your organization, and build security into your business processes. Let’s review the cost of a successful cyber attack, how to transform your organization’s approach to cyber security, and five essential steps you can take to reduce cyber threats.

What is the cost of a successful cyber attack?

According to IBM’s The Cost of a Data Breach 2023 report, the average cost of a data breach is US$4.45 million. However, a cyber breach or data leak causes more than just a financial impact — it also results in reputational damages to your business that may impact its future profitability. Additionally, a successful attack can impact both your consumers and employees in a variety of ways, and these costs are more difficult to fully calculate.

Fifty-one percent of organizations plan to increase security investments in response to a breach. While the typical security budget is predicted to grow by five percent this year, it is not enough to simply increase your security investments to reduce the risk of a cyber attack. It is essential to reset the way you think about cyber security to reduce risks effectively in today’s business landscape.

What needs to change?

A shift in mindset is necessary to bring security to the forefront of your organizational priorities as new threats continue to emerge. These three steps can help leaders adjust their cyber security perspective and strengthen security measures across all levels of an organization:

 

1. Prioritize security during digital transformation

Opportunities for attackers to find a way through your security systems or digital environments is increasing as technology continues to become more integrated and complex. Companies are rapidly adopting new technology to increase efficiency and remain competitive. Few include security as a consideration when implementing new solutions within the organization.

However, it becomes more challenging and costly to strengthen the security measures of these new solutions if security is not considered from the outset. Before your organization implements a new solution, ask yourself the following questions:

  • How secure is this technology?
  • What can we do to make this technology safer?
  • How can we integrate it to ensure it works safely in our environment?

These questions can help your organization identify and mitigate cyber security risks before it becomes a pressing concern. It also helps you save on the cost of strengthening these security measures after the solution has already been implemented.

 

2. Build security into your business processes

It is essential to build security into your business processes and risk management frameworks to reduce risks to your organization. Take the steps to measure and report on cyber security performance — just like any other business function. Measurements may include mean time to detection, response, and recovery. It may also include the arrival time, wait time, and exit rates for vulnerabilities as they appear.

These measurements can help you identify vulnerabilities within your organization, allocate resources, manage risks effectively, and adapt to new threats. It can also help you create a baseline of your cyber security performance and enable you to monitor how it varies over time.

Additionally, report on how effectively your cyber security controls manage threats and the value return of increasing investments within certain areas of your organization. Include management and other stakeholders in the reporting process to help ensure cyber security continues to remain at the forefront of your organizational priorities as the digital landscape continues to change.

 

3. Rethink cyber security’s position in your organization

Businesses rely on digital environments and data to run effectively — and therefore the cyber security function is now distributed evenly across your day-to-day business operations. However, many businesses still rely on a single group within the IT department to manage cyber security issues. This approach is no longer effective in today’s business landscape, and you need to rethink your approach to make cyber security a responsibility of everyone in your company.

Think of cyber security in the same way as you think of finance — where every business function is given a budget to work with and a responsibility to manage and report on how it is spent. Cyber security is similarly embedded throughout your entire business and no longer confined to a single, centralized function.

The traditional approach, where a standalone cyber group is relegated within the IT department, is no longer effective as the digital landscape continues to evolve. Cyber security must become a common responsibility ingrained throughout every area of your business as reliance on technology and digital platforms increases.

How to reduce cyber risks to your organization

It is essential for you to adjust your cyber security mindset and prioritize security across every area of your business to effectively protect against threats. However, transforming your organizational culture takes time, resources, and careful strategic planning to achieve successfully.

These five cyber security measures can help reduce risks while you work to enact organizational change:

 

Maintain an inventory

Develop an inventory that includes both authorized and unauthorized hardware and software. This will provide a broad overview of your entire system — including devices such as cell phones or software such as enterprise resource planning (ERP) platforms. While maintaining an inventory will not stop a data breach from occurring, it will help alert you if any hardware or software inexplicably appears in your system.

 

Limit security configurations

Configure devices or software to only perform its intended function to enhance cyber security within your organization. For example, a server that is intended to act as a web server should only have web server functionality enabled. Watch for features that leave your systems open to an attack when active and turn off any feature that is not required.

New technology often prioritizes functionality, efficiency, or ease-of-use over security and many platforms provide default passwords for an easy out-of-the-box experience. Ensure that you implement processes in your organization to change default passwords immediately.

 

Perform vulnerability assessments and remediation

Software code is complex — and bugs or misconfigurations can introduce security vulnerabilities for an attacker to exploit. Continuous vulnerability scans are now the most comprehensive way to monitor your systems and are being adopted by companies of all sizes to mitigate threats as reliance on technology continues to grow.

Continuous vulnerability scans involve tools running continuous scans across your systems, applications, and cloud environments to provide a near real-time view of your company’s vulnerabilities. Once discovered, these vulnerabilities can often be addressed by software updates or configuration changes. Additionally, it helps your company determine the most critical vulnerabilities to focus on at any given time.

 

Control admin privileges

System administrators have the highest level of access to any system within your organization and it is essential to implement controls to these privileges to reduce organizational risks. For example, your organization may give access to systems when required by providing an on-request account that is used solely when admin-level privileges are needed.

Many breaches today are a result of employee or contractor user accounts being compromised by attackers. Ensuring your company’s user accounts have only the appropriate permissions required will make it more challenging for an attacker to act maliciously. Additionally, this approach will help protect against threats such as phishing attacks by limiting what an attacker can do if an employee inadvertently falls for a phishing email or message.

 

Invest in employee training

Your employees play a key role in the success of your organization — and may often work with sensitive data and information. Investing in an employee training program to educate them on how to keep data safe can help make your employees the best defense against cyber attacks.

Implementing an educational program does not need to take significant resources or budget to support your organization in shifting its mindset to encourage employees to report potential breaches or cyber risks without the fear of reprisal.

MNP is the exclusive referral partner of CDSPI for personal and business accounting and tax services to address the unique needs of CDSPI clients. This article is provided by MNP for informational and educational purposes only as of the date of writing. This information should not be considered investment, tax or legal professional advice. For specific advice about your situation, please consult a tax, accounting, legal or financial professional. The information contained herein has been drawn from sources believed to be reliable but is not guaranteed to be accurate or complete. CDSPI, CDSPI Advisory Services Inc., MNP and our affiliates are not liable for any errors or omissions in the information, analysis or views contained in this article, or for any loss or damage suffered.