The frightening reality of the current state of cyber-security is made evident by the seemingly endless reports of major data breaches which continue, unforgivingly, despite year over year, global increases in IT security spending.
How is that possible?
Truthfully, strategy, complexity and motivation are aiding global attackers in their mission to remain at least one step ahead of their often-overwhelmed victims. The glaring question on everyone’s mind should be whether or not the cyber-security efforts implemented today need to be re-examined for overall effectiveness.
With big names like Facebook, Google and Equifax making the list of unfortunate victims of cyber-crime, it becomes clear that what we have been doing for at least the last decade is, quite simply, no longer effective.
Expanding Threat Landscape: Attack Surface
With the global migration of business to the web, the development of new web applications, and a never-ending array of smartphones and mobile devices; almost everything we do generates data. While all of this has the potential to benefit businesses and consumers alike, it also expands the attack surface available for opportunistic hackers; in other words, greater attack surface means a greater number of available avenues, or “attack vectors,” for hackers to succeed in their attack.
Attack Surface refers to the sum of the different points (“attack vectors”) an unauthorized user (“attacker”) can try to extract or enter data from the environment.
Attack Vector is a path or means by which a hacker can gain access to a computer or network server for malicious purposes.
Cost of a Breach
On top of the increased potential for a data breach, based on the continual increase in attack surface, the cost of a breach also continues to climb. In the IBM and Ponemon Institute report 2018 Cost of a Data Breach Study: Global Overview, it was found that the average cost of a data breach is 3.86 million USD, with an average cost per lost record at $148. This data represents a 6.4%, year over year increase.
It is worth noting that this data represents global costs. The United States, Canada and Germany continue to have the highest per capita costs. Canada’s average cost per capita of a data breach is $202, some 36% greater than the average global cost. The average cost of a Canadian data breach is also significantly higher than the average, landing in 3rd place at 4.74 million USD, behind the United States and the Middle East who see an average cost of 7.91 million USD and 5.31 million USD, respectively.
Breach Reporting Law
Unfortunately, with the implementation of breach reporting laws including the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and the European Union’s General Data Protection Regulation (GDPR), it is very likely these costs will continue to increase in 2019. These legislations do a lot of things; however, the most critical aspect, from a consumer’s perspective, is that they will require Canadian companies to alert customers any time their personal information may have been compromised.
Canadian companies, large and small, as of November 1, 2018, are now required to notify the Privacy Commission of Canada any time there has been a “real risk of significant harm” from a security breach. The rules themselves call for strict penalties of up to $100,000 per violation, a value aimed to prevent breaches in the first place. However, it is anticipated that many companies will have problems complying with the new rules, and a large part of this comes down to a lack of awareness.
Protecting Your Organization: Before and After the Breach
Your best security may come from the somewhat unlikely pairing of Ethical Hackers (also known as Penetration Testers) and Insurance Brokers. What do these two have in common you might ask?
On its initial introduction, it was not uncommon for Canadian business to scoff at the idea of purchasing Cyber Insurance. In particular, small and medium enterprise organizations did not see the need or urgency for such coverages. In recent years, for obvious reasons, this notion has begun to shift.
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage, is designed to aid an organization in mitigating their risk exposure by offsetting the costs involved in the recovery after a cyber-related security breach.
What does it Cover?
First party coverage to reimburse an organization for the expenses incurred from the cyber-attack.
Third party liability to protect the insureds in the case of a hack of their data that impacts other, affiliated businesses. (Clients and Customers)
Other coverages may include business interruption, privacy liability, costs of notifying customers, legal expenses, recovering compromised information and repair to damaged computer systems.
What Are Insurance Companies Looking for When Deciding on Coverage and Premium?
First and foremost, an insurance company will want to see that an organization has assessed its risk to cyber-attack, follows best practices and has otherwise enabled adequate security controls to mitigate against cyber-attacks as much as feasibly possible.
While employee education, awareness of phishing campaigns and social engineering should remain at the top of the list, it is well known to experts within the field of cyber-security, that your employees may be your greatest threat.
For the very best in defense, an insurance company will want to see that an organization has assessed its current risk and have adequately determined the organization’s current cyber-security posture, or a cyber risk profile, and subsequently made efforts to address any issues.
That’s where Ethical Hackers or Penetration Testers come in.
Cyber Security Definitions:
A cyber risk profile is a quantitative analysis of the types of cyber threats an organization faces. The goal of a risk profile is to provide a non-subjective understanding of the risk by assigning graded values to variables representing different types of threats and the danger they pose to an organization.
A Vulnerability Scan, or VA Scan, is an inspection performed by various automated software tools that are aimed at potential points of exploit on a computer or network to identify security holes. (Note: VA Scans, alone, are known to be riddled with false positives and negatives. Additional manual testing is ALWAYS recommended for best results.)
A Penetration Test, also known as a Pen Test, is an authorized, simulated attack on a computer system, performed with the goal of evaluating the security of the system. The test is performed to identify vulnerabilities, in order of priority and severity.
Penetration Testers are consultants, often referred to as ‘ethical hackers’ since they are hired to hack into a system, with permission, for the purpose of improving security within an organization.
What are Ethical Hackers/Penetration Testers?
Simply put, Ethical Hackers or Penetration Testers are the experts you call in to run an authorized, simulated attack on a computer system or network in order to evaluate the security posture of the system.
A report from the penetration test will then aid your organization in identifying, in order of severity, the current vulnerability profile of your organization. Unfortunately, as is the case in any industry, not all Penetration Testing companies are created equal.
At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing through performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
At Packetlabs, we mandate training and continually learn and adapt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.
To date, our clients occupy multiple industries including: government, law enforcement, technology, media, retail, healthcare and financial, consulting and telecom.
Our slogan, Ready for more than a VA scan?® proves our commitment to the industry to provide only expert-level penetration testing. Our team of consultants think outside the box to find weaknesses others overlook, and continuously learn new ways to evade controls in modern networks.
To recap, in order to provide your organization with the best security possible, it is in your organizations best interest to not only seek out cyber insurance, but also, a penetration test.
A Pen Test, performed by a qualified Penetration Testing company such as Packetlabs, will not only drive your insurance premiums down, but will mitigate the overall risk and severity of a data breach.
For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization. Contact us to learn more about how we can help.