It’s an understatement to say that 2018 was a year of blockbuster data breaches: Facebook, Marriott, Ticketmaster and British Airways, to name just a few. As mega-breaches have become the norm, the crescendo of clamor can no longer be ignored; the reality of the true state of threats (immense) and companies’ preparedness (inconsistent, at best) is setting in.
Thus, a couple of weeks from now we’ll ring in 2019, the Year of Cyber Insecurity: 52 weeks in which companies of all sizes and industries will experience a new level of fear – and in some cases panic – in realizing their vulnerability to data breaches, hacking and other cybercrimes.
The good news is that 2019 will also provide a tipping point: these same organizations will be shocked into taking a more clear-eyed assessment of their cyber security posture, and strong actions to improve their cyber defenses. Here are three ways they’ll work to cure their cyber insecurity.
Get a Reality Check, Continuously
It starts with increased awareness. Last year I predicted there would be huge uptake in cyber risk assessment tools like the FICO® Cyber Risk Score. That became particularly true when FICO and the U.S. Chamber of Commerce announced the first national cybersecurity assessment, called the Assessment of Business Cybersecurity (ABC). The ABC provides an overall metric for the private sector economy, as well as other comparison points for organizations by size and sector. The U.S. Chamber noted:
- The ABC is based on scoring more than 2,500 U.S. companies using the FICO® Cyber Risk Score, an empirical standard for assessing cybersecurity risk
- The U.S. Chamber and FICO are using the ABC to raise awareness of cybersecurity risk levels, and to provide an ongoing benchmark for tracking trends in cyber threats and encouraging improvement in organizational cyber posture
By getting a free Cyber Risk Score subscription and tracking their individual score against the quarterly ABC, organizations in the U.S. can, for the first time, get an empirical reality check on the efficacy of their cyber defences — and receive clear direction on areas to improve. That’s the best way to deal with cyber insecurity.
Just Say “No” to Biometrics
I’ve long thought that securing services through biometric credentials is, at best, a flawed notion. I still do.
In my predictions blog for 2017 I wrote, “Biometric security data may become the biggest security vulnerability of all.” My 2018 predictions blog forecast, “We’ll See Our First Biometrics Hack in 2018.” We did, when cyber criminals breached India’s Aadhaar identity database big-time in 2018, which has led to some tragic outcomes.
While I expect that the growth in the application of biometric authentication schemes will continue, I also expect the most forward-thinking companies to start re-thinking their investments in biometrics. Why? Again, I’ll refer to the predictions blog I wrote last year:
Biometrics are nothing more than the stored digital interpretation of a biological feature, which is then associated with your account credentials. Those digital files can be spoofed, stolen or simply rearranged to point to a digital identity other than your own.
Biometrics are neither fool-proof nor fraud-proof. And when someone replaces the digital interpretation of your retina with their own, and does a sufficient job covering their tracks, good luck proving that you are really you! The honeymoon of confidence in biometrics is undeserved, and it won’t last.
Improve Cyber Hygiene
It’s a well-publicized fact that internal errors are a major factor in data breaches. In some industries, it’s the biggest. The 2018 Verizon Data Breach Investigations Report said that internal actors are responsible for 56% of breaches in the healthcare vertical. The report also said that errors cause 35% of healthcare data breaches: “Errors (i.e. mistakes) caused more data breaches in healthcare than any other type of action. Examples of errors include misdelivery, misconfiguration, and disposal errors. Healthcare also had more than three-times more data breaches attributed to errors than any other vertical.”
This damning information can be caveated by noting, “…as with the public sector, this comparison is likely skewed by Verizon’s sources for data breach information and also the stringent reporting requirements of industry regulations.”
At the end of the day, cyber security is really a people problem. We make mistakes, we fail to follow policies, we overcommit resources, understaff projects, and we sometimes put people into jobs they are not ready for. In our research around cyber risk quantification, FICO has learned conclusively that the most predictive features in modeling future cyber outcomes are behavioral, not conditional.
In other words, how and how well you manage your network is more correlated with breach outcomes than the presence of specific vulnerabilities. My point here is that companies need to focus at least as much on training, awareness, policy, and policy adherence as they do on technology and infrastructure. That’s a great New Year’s resolution for everyone.
Best wishes for a cyber-safe 2019, and a cure for your cyber insecurity. Follow me on Twitter @dougclare to keep up with FICO’s latest cyber developments. Cheers!
+++
While you’re here, why not check out our other prediction pieces for 2019
- Government Predictions 2019: Automate, Enhance and Secure
- Analytics Predictions 2019: Machine Learning & Data Efficiency
- Consumer Banking Predictions 2019: Four Trends to Watch
- Public Policy Predictions 2019: Regulatory Reforms Ahead
- Fraud & Payments Predictions 2019: Go Cashless – with Care
- Collections Predictions 2019: SOP Won’t Cut It
- Analytics Predictions 2019: Innovations for Ethical AI