Dark Reading’s recent article on cybersecurity highlights an in-depth ThoughtLab study of 1,200 worldwide organizations across 14 industries, revealing that cybersecurity is at a major turning point. Security executives within the study expect an increase in cyberattacks over the next two years, with bad actors capitalizing on valuable (and vulnerable) data.
The report highlights eight alarming trends that are increasing in risk, complexity, and cost across the cybersecurity landscape, expanding from what once was considered an IT issue into a “core area of business risk and performance management, requiring the vigilant attention of senior executives and the board of directors.” (page 12)
Cyber thieves are taking ransomware and phishing tactics to new heights to monetize and exploit sensitive data.
“Criminal groups and nation-states are upping their game, using more advanced phishing and ransomware attacks to profit from human error. The head of information security and compliance at a US educational services company summed it up: “Ransomware and social engineering are easy, cheap, and make money – a low cost of entry for a big payout.” (page 17).
Ransomware events are expected to jump the most over the next two years, from a main cause of breaches for 32% of entities now to a future risk of 40%. Government entities and healthcare organizations are often the main targets for ransomware attacks. CISOs of university health systems that were interviewed cited ransomware as their number one external threat. With the attacks becoming more frequent, targeted, and sophisticated, they impact the safety of the patient as well as patient data. (page 17)
The digitalization of payments has contributed to the growth of cyber-attacks. The Identity Theft Resource Center (ITRC) release of its H1 2023 Data Breach Report revealed that already, in the first half of 2023, the number of U.S. data compromises is higher than the total compromises for every full year between 2005 and 2020, except for 2017.
While healthcare organizations had the most data compromises in the six-month period (379 compromises), other industries are being hit hard. Financial services reported 241 compromises, doubling the reported compromises in the same period a year ago in the 2022 ITRC report.
For the reported compromises in the first half of 2023, external factors accounted for 66% of the threat actors, with personal information being the most sought-after data, and was involved in 74% of the reported compromises.
CISO Role is Expanding
As the digital world expands, cyber-attacks will continue to be a massive risk for organizations. ThoughtLab’s report emphasizes that cybersecurity is central to today’s digital business. While the C-Suite is being charged with the task of working together to mitigate risks and meet the expectations of stakeholders, the CISO’s role is expanding.
“With physical and digital worlds melding, technology advancing, and cyber risks, vulnerabilities, and regulations multiplying, CISOs must take on a wider remit that spans functions across the enterprise.
This requires a more holistic cybersecurity approach and a broader CISO mandate for greater oversight. CISOs are also doing more to reduce fraud, manage vendor and supply chain risk, and ensure resilience and business continuity.”
As Dark Reading states, cyberattacks are a war we’ll never win, but we can defend ourselves. Bluefin’s CISO, Brent Johnson, believes that devaluing valuable data is key to a strong cybersecurity defense.
“Unfortunately, 2023 has the potential to be the worst year on record for businesses and ransomware attacks. Largely due to an increase in supply chain attacks, coupled with new responsible groups emerging and wreaking havoc. Industry experts are also noting a shift in focus from traditional ransomware and drive encryption, evolving now more in favor of ransomware extortion. Threat actors seemingly learning the act of stealing and threatening disclosure of sensitive information is a more lucrative enterprise. Now more than ever, businesses must ensure PCI-validated point-to-point encryption (P2PE) and/or tokenization of sensitive information in transit and at rest be an essential element of their overall security strategy. It’s difficult to extort on data with no value.” Johnson
For more on devaluing data with P2PE, check out Bluefin’s white paper.