The global average cost of a data breach in 2020 was $3.86 million. It took an average of 280 days to identify and contain a breach. And 52% of data breaches were malicious. These are just some of the unnerving statistics to come out of the annual Cost of Data Breach Report 2020 from IBM and the Ponemon Institute, and these statistics are not alone. The Verizon 2020 Data Breach Investigations Report revealed that 70% of breaches were external, 86% were financially motivated and 27% were attributed to ransomware. According to Karien Bornheim, CEO of Footprint Africa Business Solutions, it has become even more critical for companies to invest in security across culture, training, and technology.
“With ransomware showing a steady increase in reach and popularity, it is very clear that people remain the single most important line of defence when securing the organisation,” she adds. “People need to be trained properly and consistently so they know exactly how to identify security threats, and what to do if they suspect they are being targeted by one. If employees cannot tell the difference between a ransomware and phishing email, then your company is at risk.”
The cybercrime business is booming, and the sophistication of attacks is increasing. The phishing email is not always written badly, the spoof website is not that easy to detect anymore, and the ransomware messaging is very cleverly designed. Many of the emails and messages that catch people out use the fear factor – your COVID-19 test results, the latest pandemic statistics, a hack on your bank account. People react before thinking, and that one click triggers a very expensive, and damaging, chain reaction. Train people - ensure they understand how expensive their actions can be and keep on training to make sure the message stays top of mind.
“People are key to the long-term security of your company,” says Bornheim. “It does not matter how expensive or integrated your security system is if an employee simply hands the attacker the keys to the kingdom. Ensure that you keep their behaviours and training at the forefront of your security agenda to ensure that they consistently practice good security hygiene. This is even more important today, with so many employees working from home because the vulnerabilities are increasing exponentially.”
The work from home phenomenon may have been compulsory in 2020, but as the world moves forwards, this may become a permanent part of working life. People may stay at home, may hold onto the freedoms hard-won in the pandemic, and organisations will need to evolve security around this changing work ethic. The problem is that as people moved home, so did cybercrime. The Malwarebytes survey Enduring from home found that the pandemic had had a negative impact on business security because people were completely ignorant of security best practices. It found that 24% of companies had to fork out for unexpected cybersecurity costs, 20% faced a breach because of a remote worker, and 28% confessed to using personal devices for business work.
“The risk of a breach at home used to be a maybe – maybe someone clicked on something or the router didn’t have a password,” says Bornheim. “Now it has to be as secure as the office. The devices have to connect through a secure network that uses a proper encryption key, the security systems have to extend outwards to a geographically dispersed workforce to ensure that protocols and tools are being used correctly, and people have to know not to make silly mistakes.”
The transition to the WFH environment was relatively smooth for most companies, but as the time for speed is replaced with the time for reflection, this is when new security protocols and parameters need to be put in place. First, train people on the external threats so they know what to watch out for, then make sure they understand internal security protocols. The security system is only as good as the least rigorous person using it, so make sure that people know to have strong passwords, use two or three-factor authentication, do not share their credentials with other people, and stick to the general rules of security for the company.
“A data breach is an expensive problem,” concludes Bornheim. “It costs the company money and reputation – it can also cost them with regards to regulatory requirements such as POPIA or GDPR. This makes it absolutely essential to ensure that employees are trained, systems are appropriately adapted, and that the organisation’s WFH security posture is perfect. Security is a lot of boxes to tick, but every, single one can make all the difference.”