Despite countless warnings, people don’t take cybersecurity recommendations seriously. How about you? Are you among those who change their passwords only when prompted by the system?
Let’s envision the following scenario. You created a password that was uncrackable – at least you thought so. Indeed, who else could ever think of your dog’s name plus the last two numbers of your telephone number and an exclamation mark at the end. You made it super strong – “Luna78!”. But, what the hell? It happened; your account was hacked. After your panic had subsided, you pulled yourself together and started a painful, tedious process of account recovery. Sounds familiar? Then, you are one of the millions of people who became victims of a hack.
However, it’s not only you who should care about your data privacy and security, but also the online companies who are responsible for that to a great extent. Along with the advancement of technology, cloud servers, and fast adoption of mobile devices, companies of all sizes increasingly rely on the Internet and cloud computing. Thus, data breaches have become a top concern for everyone.
What boosts the value of the cybersecurity market?
In 2018, the global cybersecurity market was valued at $151.67 billion that is almost 50% up from $104 billion in 2017. It is expected to grow further, reaching $240 billion by 2023. To get a bigger picture: In 2011 it was worth only $64 billion. The numbers increase alarmingly, but what are the reasons for that?
The rising number of data breaches
The year 2018 saw substantial breach activity. It is reported that within one year 67% of global enterprises were attacked, with Aadhaar, Facebook, Exactis among the biggest. According to IBM, in 2018 the global average cost of a data breach was up 6.4%, totaling $3.86 million. The larger the breach, the costlier it is for the company. Moreover, these figures don’t reflect the expenses that come from the reputational damage and operational costs.
Aadhaar, the Indian government database containing the identity and biometric information of its citizens, was hacked due to insufficient security of the system. In total, 1.1 billion records were leaked exposing the holder’s name, identity number, bank details, phone numbers, addresses, and other personal information.
Social network Facebook saw a massive security breach as well. More than 30 million user accounts were compromised. Among them 14 million users had their name, contact and other sensitive information revealed; 15 million users had their name and contact information breached; and 1 million users had their access tokens stolen. Furthermore, attackers could easily get access to all the services, apps, or websites where victims used their Facebook account credentials for login – these are Instagram, Spotify, Tinder, Airbnb, etc.
Data broker Exactis became the target of one of the major breaches of 2018. Located on a publicly accessible server, a completely unprotected database with 340 million records was leaked. While social security numbers and credit card details were not exposed, the breach revealed highly personal information. The data included phone numbers, email and physical address, hobbies, and interests, age and gender of data subjects’ children.
2019 has already marked itself with one of the biggest data leakages ever — over 770 million login credentials from 2,000+ websites were exposed in January. Security researcher Troy Hunt discovered the massive database called Collection #1 within cloud sharing service MEGA. He found out that most breaches had occurred earlier, with some of them dating back to 2008. But, 140 million usernames turned out to be the newly exposed data.
The GDPR regulations
The newly released EU regulations (May 2018), known as General Data Protection Regulations (GDPR), impose obligations on organizations that collect customer data. What’s new there? The key takeaways are:
- Consumer consent. Companies need to get consumer consent before collecting and processing any personal data. The request for consent should be plain and comprehensible. It should clearly describe how the user’s data will be processed and how long it will be stored. The customer has the right to withdraw their consent, and the company should respond within a reasonable time period.
- Data Protection Impact Assessment (DPIA) is a process aimed at identifying risks of data processing and minimizing them. The DPIA measures help to protect personal data against cybersecurity risks, plan the implementation of the solutions, communicate with the affected users.
- Data Protection Officers (DPO). A large-scale company that processes user data is obliged to hire a DPO. The officer is responsible for educating employees on compliance requirements, performing audits, monitoring, managing, and maintaining security records related to data processing, and similar activities.
- Notify the ICO (Information Commissioner’s Office), NCSC (National Cyber Security Centre), or Action Fraud of the breach no later than 72 hours after becoming aware of it.
In order to comply with these GDPR regulations, businesses spend a lot of money. They improve the procedures of data management and aim at enhanced anonymization that, on its turn, contributes to user protection. According to PwC’s study, 88% of companies worldwide are spending over $1 million on their compliance efforts, and 40% over $10 million.
Vulnerabilities in infrastructure
The major entry points for cybercriminals are poorly protected IoT devices, outdated and unsupported software, central data storage, etc.
IoT devices offer truly innovative capabilities but they are vulnerable due to the security weakness of the network they are connected to. Hackers frequently exploit the vulnerabilities to perform distributed denial-of-service (DDoS) attacks using IoT botnets. This practice allows them to take full control over the devices. Obtaining control, hackers can use them for surveillance, physical damage to devices, or even put your life at risk. Outdated and unsupported software is a result of negligence that opens up more opportunities for a cybercriminal to carry out malware attacks. Moreover, SQL injections, DDoS attacks can be performed if the central data storage isn’t patched or protected enough.
To avoid sensitive data exposure, businesses invest in advanced cybersecurity practices like blockchain, cloud solutions, hardware-based password management systems, and more. For instance, financial firms, who are the key targets of hackers, increased their spending on cybersecurity solutions by 85% in 2018, with 70% of them being medium-sized businesses.
Phishing, social engineering, malware and ransomware attacks are possible due to poor personal security measures that individuals take — weak passwords, inappropriate authentication methods, unawareness of cyber hygiene. Human error is still a key cause of hacks.
To minimize risks, businesses spend more money on educating their employees and expanding their staff with cybersecurity professionals. Moreover, the Bureau of Labor Statistics predicts that the demand for Information Security Analysts will see a 28% increase by 2026.
The bottom line
The number of data breaches is shocking, but it is possible to avoid half of them by adhering to cyber hygiene habits and by arming yourself with advanced security solutions. Cybersecurity is in the best interest of individuals, especially of those working for large companies and having access to sensitive data. It’s always better to prevent the hack, than pick up the pieces of data breach consequences.
To be one step ahead of hackers, IT professionals work on methods that will be capable to eliminate cyber attacks. Artificial Intelligence, quantum computing, blockchain, zero-trust approach, biometric authorization are technologies that are believed to provide the best security solutions in the future. While specialists argue whether all these technologies are ready for implementation or not, the companies experiment with and gradually employ them.