The trend lines are concerning and yet utterly predictable. As the use of digital technology has grown, so have the frequency, scope, and cost of data breaches and hacking attacks. It’s a tradeoff we have little choice but to acknowledge by virtue of living in the 21st century.
Technology alone cannot protect businesses, organizations, and government agencies: They also need to adopt cybersecurity governance frameworks in order to reduce their exposure to cyberattacks. But before discussing some of these frameworks, it’s important to take a closer look at the nature of the threats themselves.
Data Breaches and Hacking
According to a recent study by the Identity Theft Resource Center, the number of data breaches in the United States rose from 419 in 2010, with 23 million records stolen, to 1,579 in 2017, with the theft of 179 million records.
The frequency of criminal hacking activities is also astonishing. According to McAfee and the Center for Strategic and International Studies, the FBI and internet service providers have observed a daily average of 80 billion malicious scans; 300,000 new malwares; 33,000 phishing activities; and 4,000 ransomwares.
The consequences of data breaches and cyberattacks can be costly in two ways: financial and reputational. In 2017 alone, the financial cost of cybercrimes was estimated at between $500 billion and $600 billion worldwide. In terms of reputational impact, the Ponemon Institute published a study showing that organizations that suffered a data breach have experienced a 5 percent drop in average stock price the day a breach was announced and a 7 percent loss of customers.
A Challenge for Government
If we look at government institutions, the public trust could be severely damaged and the functioning of our democratic society compromised by attacks on our electoral system and other infrastructures.
These threats are also heightened by the rapid diffusion of innovations such as mobile technologies and the internet of things (IoTs). With the worldwide number of wireless connected devices projected to grow from 15 billion in 2015 to 75 billion in 2025, we can predict massive growth in potential attack surfaces and attack vectors.
Brand new criminal opportunities have also emerged in recent years. Consider, for example, cryptocurrency, which represents both a new target for cyber criminals, who are stealing millions of dollars’ worth of bitcoins, and an anonymous currency used in the perpetration of extortion schemes such as ransomware. Seasoned as well as novice criminals can easily find free exploit kits and sophisticated malicious programs that can be used to perform illegal hacking on both the internet and the Dark Web. In other words, the cost of perpetrating cyberattacks is getting lower every year and the payoffs will continue to increase due to security-flawed innovations as well as new technological opportunities.
Reducing Exposure to Cyberattacks
With the ever-increasing cost of counter-measures, the strategy of relying solely on technology to protect organizational assets cannot be viable. Instead, corporations and government agencies are adopting cybersecurity governance frameworks in order to reduce their exposure to cyberattacks.
Several key frameworks are currently dominating the information security industry. These offer a more comprehensive approach to cybersecurity that addresses issues related to people, policy, process, technology, and physical environment.
Key Cybersecurity Governance Frameworks
|
The Payment Card Industry Data Security Standard provide a sets of security standards to help organizations that accept, process, store, or transmit credit card information maintain a secure environment. |
|
|
ISO 27001 defines the mandatory requirements for an Information Security Management System. ISO 27002 offers a set of standards of good practice for security of all sorts of information (a code of practice). |
|
|
CIS Critical Security Controls provide a set of recommended actions to defend organizations and prevent serious and pervasive attacks. |
|
|
NIST Framework for Improving Critical Infrastructure Security |
The NIST ICIS provides a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors. This framework also helps organizations to create their cybersecurity risk profile and prioritize defensive activities that coincide with their risk tolerance. |
However, despite the fact that these cybersecurity governance frameworks are recognized in several industries, many small corporations and local government agencies are still lagging behind. This is concerning because cybersecurity governance frameworks can provide most vulnerable organizations with an effective and efficient way to tackle cybersecurity risks—both now and into the future.
Learn more
Frederic Lemieux
Frederic Lemieux, Ph.D., is the Professor of the Practice and Faculty Director for the master's programs in Applied Intelligence and Cybersecurity Risk Management at Georgetown University. His research has focused on policing, homeland security, and cybersecurity. He is currently conducting studies on cyber defense and intelligence sharing on cyber threats.