Security News Survey – January 11, 2019

A look at the real-world costs of breaches, the shutdown’s impact on cybersecurity, and the ever-looming cybersecurity skills gap.

On average, data breaches cost around US$3.62 million, but we’ve seen the scale vary substantially from “You got lucky, friend” to “Get ready to file Chapter 11.” Why do these costs vary so much? Well, in short, costs vary because breaches vary. According to Forrester’s Estimate Breach Impact And Costs To Drive Investments report, you can expect costs to be dependent on a variety of factors, including response and notification, productivity and staff loss, legal action, regulatory fines, customer loss, and more. In last week’s survey, we mentioned the downstream costs of data breaches for hospitals in particular, where these organizations spend 64 percent more on advertising post-breach.

This week, the numbers are adding up again.

Settling the Data Breach Debt

On Tuesday, Dallas-based retailer Neiman Marcus, who disclosed a massive data breach in 2014, agreed to a settlement with the Texas Attorney General of a US$1.5 million. The breach impacted credit card info of around 370,000 shoppers over a three-month period in 2013. A fair share of those cards was used for fraud following the breach.

International hotel chain Marriott is already also facing steep consequences following a breach that impacted personal information (including passport numbers) of hundreds of millions of Starwood customers. This week, Forbes did the math and estimated that the company could lose US$8.8 billion as a result of sanctions imposed by the E.U., should the investigation find that Marriott did not uphold information rights.

U.S. Cybersecurity May be Impacted by the Government Shutdown

On another pricey note, the U.S. government shutdown is about to enter its fourth week, and the costs of inactivity are adding up — particularly for the new Cybersecurity and Infrastructure Security Agency (CISA). Almost half of the agency’s employees are furloughed, and experts are warning that hackers could capitalize on the security gaps that the shutdown is leaving. The agency is focusing on maintaining basic security programs (like network monitoring), but resources are dangerously low and could lead to delays in identifying threats and a slowdown in information-sharing between public and private sectors. No doubt, this could be an opportune time for cybercriminals to try to compromise vulnerable infrastructure.

Even if the shutdown is resolved and resources are back at full capacity, the shutdown episode isn’t down the CISA any favors in terms of building their case to rectify low recruitment figures.

Cybersecurity Skills Gap: It’s Still Here

The CISA isn’t the only organization struggling with cybersecurity talent. Enterprise Strategy Group (ESG)’s annual end-of-year IT report revealed that 53 percent of organizations are still experiencing a cybersecurity skills shortage in their organization. That figure is up by 2 percent from last year and up by 8 percent from 2016. Jon Oltsik, ESG Principal Analyst, believes three things can help resolve the situation: 1) committed federal leadership that endows scholarship finding, awareness campaigns, etc., 2) a closer partnership between the tech industry and the federal government, and 3) more collaboration between tech companies themselves. Essentially, Oltsik suggests that what we need is everyone onboard, and we agree. Stephan Jou, Interset’s CTO, has always stressed that the bad guys seem to be better at collaborating than the good guys. The time for commitment and teamwork is now.

Of course, the skills gap can’t be fixed overnight, but the right technology and right vendor partners can make a difference in alleviating expertise shortages in your organization. For example, AI and automation can help streamline your threat detection and deliver vital data science expertise without having to hire in-house (learn more about how Interset does this).