Posts

Cybersecurity has never been more important than it is today. Not only is our information more at risk, but so is our privacy, and even our personal safety. Complexity and distraction have contributed to us “taking our eye” off the ball, and there’s no better time than now to act.

What is cybersecurity?

This is a confusing word for some people. Even cybersecurity experts have different explanations of what cybersecurity is.
Cybersecurity is Managing the risk of unauthorized disclosure, modification, and destruction of information through technical means.

The key is managing risk, not eliminating risk. Eliminating risk would require us to eliminate all our information and the electronics we leverage to create, transfer, access, and use it. No more laptops, no iPads, no mobile devices, no Internet, and no data. Obviously, this isn’t feasible, and neither is eliminating risk.

what is cybersecurity

Managing risk means we need to live with the fact that bad things can and will happen; therefore, detecting bad things early and having a prudent response are also important.

Why is cybersecurity more important than ever?

The simple answer is bad things are happening more often and the results are more impactful. We were riding a dangerous trend of increased incidents (ransomware, data breaches, etc.) prior to 2020:

  • Over the past 10 years, there were 300 data breaches involving the theft of 100,000 or more records.
  • There were 1,244 data breaches in 2018 and 446.5 million records were exposed.
  • There were 4.1 billion records exposed in the first six months of 2019 alone.
  • At the beginning of 2019, the World Economic Forum named cyber-attacks as one of the top five risks to global stability.

2020 has certainly been a year like no other, and things haven’t gotten better. The final numbers aren’t in for this year’s cybersecurity incidents, but we inherently know things have gotten worse. There are two primary reasons for higher risk in 2020; complexity and distraction.

Complexity is the greatest enemy of cybersecurity. Most business and home technology environments have gotten too complex to secure properly. Businesses and people struggle to know what things they’re securing, let alone how to secure them. At home the problem is getting worse with each new technology we add. In our lust for new technology and features, we’ve failed to slow down and think about the cybersecurity consequences of our choices. Technology complexity continues to explode with “smart” homes (Alexa, Google Home, Ring, etc.), “smart” cars, interconnected medical devices, and our 275 million “smart” phones.

In terms of impact, our lives have become so interconnected that we can no longer separate cybersecurity from privacy or physical safety.

2020 has been a debacle. We’ve never been more distracted. There are so many significant things going on, that many of us have taken our eye off the cybersecurity ball. COVID-19 flipped our world on its head. Offices closed, leading to an explosion of work-from-home. Schools closed, leading to an explosion in remote learning. Couple these events with health concerns, economic concerns, general uncertainty, and it’s understandable that cybersecurity becomes an afterthought.

If COVID-19 wasn’t a significant enough distraction, 2020 also brought real social justice issues, civil unrest, the presidential election, and disinformation campaigns that bombard our inboxes and social media feeds.

Complexity and life’s distractions in 2020 have made our digital lives a perfect attacker’s playground.

Why are cybercrimes on the rise? How did they evolve over time?

Cybercrimes are on the rise because the opportunities we give attackers are extensive and the return on the attacker’s investment has never been higher. It’s the perfect recipe for their success at our expense.

cybersecurity cybercrimes rise recipe for attacker success

We continue to increase opportunities for attackers through our incessant need for more technology, while at the same time, we’re distracted by life’s events. These things combine to make attacks easier and more successful, leading to increased profit and return for an attacker. The cycle repeats itself when attackers re-invest their profits into better and more frequent attacks.

In previous decades, attacks were less nefarious, and it wasn’t uncommon for an attacker to be motivated by bragging rights or showing off. Those days are long gone, and criminals are organized much like legitimate businesses. Businesses are in business to make money, and so are most attackers. 71% of all data breaches are financially motivated and 25% are motivated by espionage.

The attackers we should all be most concerned about are the ones who are motivated by money and power; these are often organized crime rings and nation-state attackers such as China, Russia, and Iran.

What is the impact of a cybercrime to your organization, team, and/or self?

The impact of cybercrime depends upon several factors; the nature of the incident, your ability to detect and respond to the incident, the intent of the attacker, and the attacker’s ability or skill to carry out their intent. The impact can range from a simple nuisance to bankruptcy, and in rare cases even death.

For small to mid-sized organizations (250-449) employees, the downtime from a data breach varies:

  • 43% reported 0-4 hours of downtime
  • 45% reported 5-16 hours of downtime
  • 12% reported 17-48 hours of downtime

Sadly, 56% of Americans don’t know what steps to take in the event of a data breach (including American businesses), an estimated 60% of small to mid-sized business fail within 12 months of experiencing a data breach, and in 2020 we read about the first (known) death related to ransomware.

The impact of cybercrime varies from low to severe. How low or how severe should not be left to chance because you can (and must) take steps to reduce your risk.

What can you do to protect your organization, your team, and yourself?

The most important thing for all of us is to understand and apply basic cybersecurity principles. The most basic principle starts with risk management. Cybersecurity is risk management. In order to manage risk, you and I must understand (assess) it. Find a good, fundamental risk assessment, and do it. You’ll need to assess risk personally (at home), in your third-party/vendor relationships (the people you share information with), and within your organization.

How can SecurityStudio help?

SecurityStudio is dedicated to our mission of fixing the broken cybersecurity industry by helping people with simple, inexpensive (even free), and effective information security risk management tools.

  • Organization risk management starts with the S2Org tool, used by thousands of organizations of all sizes across all industries.
  • Third-party/vendor risk management starts with our S2Vendor tool; integrated, organized, and automated (without taking shortcuts).
  • Personal risk management (at home) starts with our S2Me tool; 100% free and simplified for everyday people.
  • Work at home risk management starts with our S2Team tool; the most cost-effective insight into employees’ real information security habits.

If complexity is the worst enemy and if cybersecurity is risk management, then we all need simple and affordable risk management tools for everyone to build the best defense, detection, and response capabilities possible.

SecurityStudio is here to help, always dedicated to #MissionBeforeMoney.

s2core

Estimate your score or book free demo today

S2SCORE is a comprehensive assessment that measures your organization’s information security risk. It was created because of a recognized need in the information security industry for a common language people could use to be on the same page about security. Built on the widely unsterstood credit score scale, S2SCORE measures four different types of controls and give you the score to litmus test and starting point for improvements. Every organization should have a S2SCORE and here is why.

1. S2SCORE is easy to understand.

Information security is a complex discipline with many moving parts, but S2SCORE simplifies the communication about how your information security program is performing. You don’t need to be an information security expert with years of experience to understand what S2SCORE is telling you. One simple number represents your overall risk, and additional indicators show where your most significant risks are.

2. S2SCORE can tell you what everyone else is doing.

Hundreds of organizations have received their S2SCORE and this allows for good, fact-based comparisons. One of the common questions we receive about information security is, “What is everybody else doing?” This question comes from the responsibility for due care/due diligence, liability, and knowing that there’s “protection in the herd.

3. With a S2SCORE, you can track progress.

S2SCORE is a point of reference that should be used to track progress and to determine whether risk is maintained within your tolerance. Your information security program and risks are always getting better or worse; they never stay the same. Questions about progress, regular reporting, and support for maintaining your information security program are all answered through the S2SCORE.

fisascore-scale

The average S2SCORE is 567.72. An “acceptable” level of security is 660.

4. S2SCORE is objective.

S2SCORE is maintained by an independent organization that doesn’t do consulting work, and has no other purpose but to provide accurate measurements of information security risk. In addition to organizational objectivity, the score is also objective. S2SCORE is calculated through the measurement of thousands of objective characteristics that take much of the guesswork and opinion out of the equation.

5. S2SCORE is credible.

S2SCORE was developed over the course of more than 15 years through the work of seasoned information security practitioners and is now on its fifth major release. S2SCORE is based on generally well-accepted information security standards. The criteria for measurement are all referenceable to the NIST Cybersecurity Framework (CSF), and its supporting standards: NIST SP 800-53, COBIT, ISO 27001:2013, and CIS CSC.

6. S2SCORE represents risk.

Risk is the combination of vulnerabilities and applicable threats that manifest themselves into the likelihood of something bad happening and the impact if it did. If there is no vulnerability (or weakness) in a control, there is no risk. If there is a vulnerability in a control without an applicable threat, there is also no risk. S2SCORE represents the analysis of hundreds of controls, thousands of vulnerabilities and thousands of threats, resulting in likelihoods and impacts of bad events.

7. S2SCORE is comprehensive.

Fundamental to S2SCORE is our definition of information security: The application of administrative, physical, and technical controls to protect the confidentiality, integrity and availability of information. There are four phases within S2SCORE:

• Phase 1 – Administrative Controls
• Phase 2 – Physical Controls
• Phase 3 – Internal Technical Controls
• Phase 4 – External Technical Controls

All four parts of the information security program must work well together. A weakness in one control can lead to a collapse of all others. The phases are further segmented into sections, and the sections are further segmented into controls. The final S2SCORE report is presented both high level and then digs deep in the details.

8. There is fast-growing community support for S2SCORE.

The partner community behind S2SCORE is critical to its success. Partners works to generate S2SCOREs for their clients, but the partner community is also vital to future improvements and considerations. The partner community participates in further improvements of the methodology, shares critical information, and evangelizes the need for a common information security language (provided by S2SCORE). Our partners include IT service companies, CPA firms, insurance brokers and security consulting companies.

9. S2SCORE is an indicator of future losses.

As S2SCORE continues to evolve, we get closer to understanding the true losses behind information security incidents and breaches. S2SCORE provides the framework for predicting future information security losses accurately, using the best information available. Today S2SCORE is tied to research conducted by the Ponemon Institute for loss data.

10. S2SCORE is a competitive advantage.

Information security as a competitive advantage? Yes, absolutely! S2SCORE is a representation of the efforts you’ve put into information security and it’s a demonstration that you know where your most significant information security risks are. Armed with this information, you can make an objective case to your customers that you take information security seriously, backed by experienced information security experts, a community of partners, and a clean methodology. Don’t forget the fact that you can now invest your information security dollars where they will have the greatest benefit.

s2core

Estimate your score or book free demo today