Global adoption of data and privacy programs still maturing

The importance of privacy and data protection is a critical issue for organizations as it transcends beyond legal departments to the forefront of an organization’s strategic priorities.

adoption privacy programs

A FairWarning research, based on survey results from more than 550 global privacy and data protection, IT, and compliance professionals outlines the characteristics and behaviors of advanced privacy and data protection teams.

By examining the trends of privacy adoption and maturity across industries, the research uncovers adjustments that security and privacy leaders need to make to better protect their organization’s data.

The prevalence of data and privacy attacks

Insights from the research reinforce the importance of privacy and data protection as 67% of responding organizations documented at least one privacy incident within the past three years, and over 24% of those experienced 30 or more.

Additionally, 50% of all respondents reported at least one data breach in the last three years, with 10% reporting 30 or more.

Overall immaturity of privacy programs

Despite increased regulations, breaches and privacy incidents, organizations have not rapidly accelerated the advancement of their privacy programs as 44% responded they are in the early stages of adoption and 28% are in middle stages.

Healthcare and software rise to the top

Despite an overall lack of maturity across industries, healthcare and software organizations reflect more maturity in their privacy programs, as compared to insurance, banking, government, consulting services, education institutions and academia.

Harnessing the power of data and privacy programs

Respondents understand the significant benefits of a mature privacy program as organizations experience greater gains across every area measured including: increased employee privacy awareness, mitigating data breaches, greater consumer trust, reduced privacy complaints, quality and innovation, competitive advantage, and operational efficiency.

Of note, more mature companies believe they experience the largest gain in reducing privacy complaints (30.3% higher than early stage respondents).

Attributes and habits of mature privacy and data protection programs

Companies with more mature privacy programs are more likely to have C-Suite privacy and security roles within their organization than those in the mid- to early-stages of privacy program development.

Additionally, 88.2% of advanced stage organizations know where most or all of their personally identifiable information/personal health information is located, compared to 69.5% of early stage respondents.

Importance of automated tools to monitor user activity

Insights reveal a clear distinction between the maturity levels of privacy programs and related benefits of automated tools as 54% of respondents with more mature programs have implemented this type of technology compared with only 28.1% in early stage development.

Automated tools enable organizations to monitor all user activity in applications and efficiently identify anomalous activity that signals a breach or privacy violation.

“This research revealed a major gap between mature and early stage privacy programs and the benefits they receive,” said Ed Holmes, CEO, FairWarning.

“It is exciting to see healthcare at the top when it comes to privacy maturity. However, as we dig deeper into the data, we find that 37% of respondents with 30 or more breaches are from healthcare, indicating that there is still more work to be done.

“This study highlights useful guidance on steps all organizations can take regardless of industry or size to advance their program and ensure they are at the forefront of privacy and data protection.”

“In today’s fast-paced and increasingly digitized world, organizations regardless of size or industry, need to prioritize data and privacy protection,” said IAPP President & CEO J. Trevor Hughes.

“As the research has demonstrated, it is imperative that security and privacy professionals recognize the importance of implementing privacy and data protection programs to not only reduce privacy complaints and data breaches, but increase operational efficiency.”

Why are certain employees more likely to comply with information security policies than others?

Information security policies (ISP) that are not grounded in the realities of an employee’s work responsibilities and priorities expose organizations to higher risk for data breaches, according to a research from Binghamton University, State University of New York.

information security policies

The study’s findings, that subcultures within an organization influence whether employees violate ISP or not, have led researchers to recommend an overhaul of the design and implementation of ISP, and to work with employees to find ways to seamlessly fit ISP compliance into their day-to-day tasks.

“The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management.

“We wanted to understand why certain employees were more likely to comply with information security policies than others in an organization.”

How subcultures influence compliance within healthcare orgs

Sarkar, with a research team, sought to determine how subcultures influence compliance, specifically within healthcare organizations.

“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sarkar. “Each of these groups are trained in a different way and are responsible for different tasks.”

Sarkar and his fellow researchers focused on ISP compliance within three subcultures found in a hospital setting – physicians, nurses and support staff.

The expansive study took years to complete, with one researcher embedding in a hospital for over two years to observe and analyze activities, as well as to conduct interviews and surveys with multiple employees.

Because patient data in a hospital is highly confidential, one area researchers focused on was the requirement for hospital employees to lock their electronic health record (EHR) workstation when not present.

“Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” said Sarkar.

“On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”

The conclusion

Researchers concluded that each subculture within an organization will respond differently to the organization-wide ISP, leaving organizations open to a higher possibility of data breaches.

Their recommendation – consult with each subculture while developing ISP.

“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks,” said Sarkar. “It is critical that we find ways to redesign ISP systems and processes in order to create less friction.”

In the context of a hospital setting, Sarkar recommends touchless, proximity-based authentication mechanisms that could lock or unlock workstations when an employee approaches or leaves a workstation.

Researchers also found that most employees understand the value of ISP compliance, and realize the potential cost of a data breach. However, Sarkar believes that outdated information security policies’ compliance measures have the potential to put employees in a conflict of priorities.

“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”

Only 27.9% of organizations able to maintain compliance with the PCI DSS

Global organizations continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy and execution, flags the Verizon report.

maintain compliance PCI DSS

With many companies struggling to retain qualified CISOs or security managers, the lack of long-term security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).

Cybercriminals still mostly targeting payment data

Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the report. Within the retail sector alone, 99 percent of security incidents were focused on acquiring payment data for criminal use.

On average only 27.9 percent of global organizations maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

More concerning, this is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016.

“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.

“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.

“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”

Few organizations successfully test security systems

Additional findings shine a spotlight on security testing where only 51.9 percent of organizations successfully test security systems and processes as well as unmonitored system access and where approximately two-thirds of all businesses track and monitor access to business critical systems adequately.

In addition, only 70.6 percent of financial institutions maintain essential perimeter security controls.

“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security. The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security.

“It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with,” comments Maxine Holt, senior research director at Omdia.

maintain compliance PCI DSS

Difficulty to maintain PCI DSS compliance impacts all businesses

SMBs were flagged as having their own unique struggles with securing payment data. While smaller businesses generally have less card data to process and store than larger businesses, they have fewer resources and smaller budgets for security, impacting the resources available to maintain compliance with PCI DSS.

Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly by these smaller organizations, but as the likelihood of a data breach for SMBs remains high it is imperative that PCI DSS compliance is maintained.

The on-going CISO challenge: Security strategy and compliance

The report also explores the challenges CISOs face in designing, implementing and maintaining an effective and sustainable security strategy, and how these can ultimately contribute to the breakdown of compliance and data security management.

These problems were not found to be technological in nature, but as a result of organizational weaknesses which could be resolved by more mature management skills including creating formalized processes; building a business model for security as well as defining a sound security strategy with operating models and frameworks.

85% of COVID-19 tracking apps leak data

71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data, according to Intertrust.

COVID-19 tracking apps leak data

The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.

Cryptographic issues pose one of the most pervasive and serious threats, with 91% of the apps in the study failing one or more cryptographic tests. This means the encryption used in these medical apps can be easily broken by cybercriminals, potentially exposing confidential patient data, and enabling attackers to tamper with reported data, send illegitimate commands to connected medical devices, or otherwise use the application for malicious purposes.

Bringing medical apps security up to speed

The study’s overall findings suggest that the push to reshape care delivery under COVID-19 has often come at the expense of mobile application security.

“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” said Bill Horne, General Manager of the Secure Systems product group and CTO at Intertrust.

“The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.”

The report on healthcare and medical mobile apps is based on an audit of 100 iOS and Android applications from healthcare organizations worldwide. All 100 apps were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on the OWASP mobile app security guidelines.

COVID-19 tracking apps leak data

Report highlights

  • 71% of tested medical apps have at least one high level security vulnerability. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
  • The vast majority of medical apps (91%) have mishandled and/or weak encryption that puts them at risk for data exposure and IP (intellectual property) theft.
  • 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
  • The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
  • When looking specifically at COVID-tracking apps, 85% leak data.
  • 83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.

Cybersecurity lessons learned from data breaches and brand trust matters

Your brand is a valuable asset, but it’s also a great attack vector. Threat actors exploit the public’s trust of your brand when they phish under your name or when they counterfeit your products. The problem gets harder because you engage with the world across so many digital platforms – the web, social media, mobile apps. These engagements are obviously crucial to your business.

Something else should be obvious as well: guarding your digital trust – public confidence in your digital security – is make-or-break for your business, not just part of your compliance checklist.

COVID-19 has put a renewed spotlight on the importance of defending against cyberattacks and data breaches as more users are accessing data from remote or non-traditional locations. Crisis fuels cybercrime and we have seen that hacking has increased substantially as digital transformation initiatives have accelerated and many employees have been working from home without adequate firewalls and back-up protection.

The impact of cybersecurity breaches is no longer constrained to the IT department. The frequency and sophistication of ransomware, phishing schemes, and data breaches have the potential to destroy both brand health and financial viability. Organizations across industry verticals have seen their systems breached as cyber thieves have tried to take advantage of a crisis.

Good governance will be essential for handling the management of cyber issues. Strong cybersecurity will also be important to show customers that steps are being taken to avoid hackers and keep their data safe.

The COVID crisis has not changed the cybersecurity fundamentals. What will the new normal be like? While the COVID pandemic has turned business and society upside down, well-established cybersecurity practices – some known for decades – remain the best way to protect yourself.

1. Data must be governed

Data governance is the capability within an organization to help provide for and protect for high quality data throughout the lifecycle of that data. This includes data integrity, data security, availability, and consistency. Data governance includes people, processes, and technology that help enable appropriate handling of the data across the organization. Data governance program policies include:

  • Delineating accountability for those responsible for data and data assets
  • Assigning responsibility to appropriate levels in the organization for managing and protecting the data
  • Determining who can take what actions, with what data, under what circumstances, using what methods
  • Identifying safeguards to protect data
  • Providing integrity controls to provide for the quality and accuracy of data

2. Patch management and vulnerability management: Two sides of a coin

Address threats with vulnerability management. Bad actors look to take advantage of discovered vulnerabilities in an attempt to infect a workstation or server. Managing threats is a reactive process where the threat must be actively present, whereas vulnerability management is proactive, seeking to close the security gaps that exist before they are taken advantage of.

It’s more than just patching vulnerabilities. Formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings. Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation.

3. Not “if” but “when”: Assume you’re already hacked

If you build your operations and defense with this premise in mind, your chances of helping to detect these types of attacks and preventing the breaches are much greater than most organizations today.

The importance of incident response steps

A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical-level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end.

Incident response can be stressful and is stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.

4. Your size does not mean security maturity

It does not matter how big you are or the resources your team can access. As defenders, we always think, “If I only had enough money or people, I could solve this problem.” We need to change our thinking. It’s not how much you spend but rather, is that spend an effective use? Does it allow your team to disrupt attacks or just wait to be alerted (maybe)? No matter where an organization is on its journey toward security maturity, a risk assessment can prove invaluable in deciding where and when it needs most improvement.

cybersecurity lessons learned

For more mature organizations, the risk assessment process will focus less on discovering major controls gaps and more on finding subtler opportunities for continuously improving the program. An assessment of a less mature program is likely to find misalignments with business goals, inefficiencies in processes or architecture, and places where protections could be taken to another level of effectiveness.

5. Do more with less

Limited budgets, limited staff, limited time. Any security professional will have dealt with all of these repeatedly while trying to launch new initiatives or when completing day-to-day tasks. They are possibly the most severe and dangerous adversaries that many cybersecurity professionals will face. They affect every organization regardless of industry, size, or location and pose an existential threat to even the most prepared company. There is no easy way to contain them either, since no company has unlimited funding or time, and the lack of cybersecurity professionals makes filling roles incredibly tricky.

How can organizations cope with these natural limitations? The answer is resource prioritization, along with a healthy dose of operational improvements. By identifying areas where processes can be streamlined and understanding what the most significant risks are, organizations can begin to help protect their systems while staying within their constraints.

6. Rome wasn’t built in a day

An edict out of the IT department won’t get the job done. Building a security culture takes time and effort. What’s more, cybersecurity awareness training ought to be a regular occurrence — once a quarter at a minimum — where it’s an ongoing conversation with employees. One-and-done won’t suffice.

People have short memories, so repetition is altogether appropriate when it comes to a topic that’s so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management. Awareness training should be incorporated across all organizations, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up a dry set of rules, separate from the broader business reality.

Large vendor ecosystems and low visibility increase third-party cyber risk

80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average organization had been breached in this way 2.7 times, according to a BlueVoyant survey.

budgets third-party cyber risk

The research also found organizations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses 1409 vendors.

The study was conducted by Opinion Matters and recorded the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organizations with more than 1000 employees across a range of vertical sectors including business and professional services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy. It covered five countries: USA, UK, Mexico, Switzerland and Singapore.

Third-party cyber risk budgets and other key findings

  • 29% say they have no way of knowing if cyber risk emerges in a third-party vendor
  • 22.5% monitor their entire supply chain
  • 32% only re-assess and report their vendor’s cyber risk position either six-monthly or less frequently
  • The average headcount in internal and external cyber risk management teams is 12
  • 81% say that budgets for third-party cyber risk management are increasing, by an average figure of 40%

Commenting on the research findings, Jim Penrose, COO BlueVoyant, said: “That four in five organizations have experienced recent cybersecurity breaches originating in their vendor ecosystem is of huge concern.

“The research clearly indicated the reasons behind this high breach frequency: only 23% are monitoring all suppliers, meaning 77% have limited visibility and almost one-third only re-assess their vendors’ cyber risk position six-monthly or annually. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”

Multiple pain points exist in third-party cyber risk programs as budgets rise

Further insight into the difficulties that are leading to breaches was revealed when respondents were asked to identify the top three pain points related to their third-party cyber risk programs, in the past 12 months.

The most common problems were:

  • Managing the volume of alerts generated by the program
  • Working with suppliers to improve security performance, and
  • Prioritizing which risks are urgent and which are not.

However, overall responses were almost equally spread across thirteen different areas of concern. In response to these issues, budgets for third-party cyber risk programs are set to rise in the coming year. 81% of survey respondents said they expect to see budgets increase, by 40% on average.

Jim Penrose continues: “The fact that cyber risk management professionals are reporting difficulties across the board shows the complexity they face in trying to improve performance.

“It is encouraging that budget is being committed to tackling the problem, but with so many issues to solve many organizations will find it hard to know where to start. Certainly, the current approach is not working, so simply trying to do more of the same will not shift the dial on third-party cyber risk.”

Variation across industry sectors

Analysis of the responses from different commercial sectors revealed considerable variations in their experiences of third-party cyber risk. The business services sector is suffering the highest rate of breaches, with 89% saying they have been breached via a weakness in a third-party in the past 12 months.

The average number of incidents experienced in the past 12 months was also highest in this sector, at 3.6. This is undoubtedly partly down to the fact that firms in the sector reported working with 2572 vendors, on average.

In contrast, only 57% of respondents from the manufacturing sector said they had suffered third-party cyber breaches in the past 12 months. The sector works with 1325 vendors on average, but had a much lower breach frequency, at 1.7.

“Thirteen percent of respondents from the manufacturing sector also reported having no pain points in their third-party cyber risk management programs, a percentage more than twice as high as any other sector.

Commenting on the stark differences observed between sectors, Jim Penrose said: “This underlines that there is no one-size-fits-all solution to managing third-party cyber risk.

“Different industries have different needs and are at varying stages of maturity in their cyber risk management programs. This must be factored into attempts to improve performance so that investment is directed where it has the greatest impact.”

Mix of tools and tactics in play

The survey investigated the tools organizations have in place to implement third-party cyber risk management and found a mix of approaches with no single approach dominating.

Many organizations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by 40%. However static, point-in-time tactics such as on-site audits and supplier questionnaires remain common.

Jim Penrose concludes: “Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way.

“Visibility into such a large and heterogenous group of vendors is obscured due to lack of resources and a continuing reliance on manual, point-in-time processes, meaning real-time emerging cyber risk is invisible for much of the time.

“For organizations to make meaningful progress in managing third-party cyber risk and reduce the current concerning rate of breaches, they need to be pursuing greater visibility across their vendor ecosystem and achieving better context around alerts so they can be prioritized, triaged and quickly remediated with suppliers.”

Nine out of ten IT pros have experienced a data breach

Exonar, has today published research revealing that 94 percent of IT pros have experienced a data breach, and an overwhelming majority (79 percent) are worried that their current organization could be next.

experienced a data breach

The survey of 500 IT professionals found that when it comes to cybersecurity, employee data breaches are seen as the biggest risk to an organization. Two fifths (40 percent) of respondents named employee data breaches as the biggest overall threat to information security in the coming year, while a fifth (21 percent) said external attacks from cybercriminals are the biggest risk to information security, and 20 per cent believe it is ransomware/malware attacks.

When looking at what causes employee data breaches, more than half (51 percent) of IT professionals say these most commonly occur through external email services such as Gmail and Outlook. However, 42 percent say employee data breaches have happened through collaboration tools such as Slack and Dropbox, and 41 per cent through SMS/messaging services. Just 6 percent of those surveyed said they had never knowingly experienced a data breach.

Despite data breaches being front of mind for IT teams, 95 percent of IT professionals say it’s a challenge to get visibility across their organizations’ data estate, and only 39 percent of organizations are taking active steps to gain visibility of their data.

“In simply performing their jobs, employees can unintentionally be the source of a data breach – by leaving high-risk information unprotected in the wrong place. It’s the responsibility of the company to provide the right methodology, technology, and processes that enable the workforce to continue to operate without burdening teams with undue process,” said Danny Reeves, CEO, Exonar.

“These days, every company is a data company, and large organizations often have thousands of systems and storage facilities. Unless companies are actively taking steps to know and understand their data, they’re leaving themselves vulnerable.”

Most security leaders feel their programs are mature, but data reveals otherwise

84% of security and IT leaders feel their enterprise programs are mature, but a deeper dive reveals a major disconnect between perception and reality, Vulcan Cyber reveals.

enterprise programs

“We already know most enterprise programs are immature – we see it every day in the field. What caught us off guard was that the vast majority of respondents felt otherwise,” said Yaniv Bar Dayan, CEO of Vulcan Cyber.

“Given the amount of breaches caused by known, unpatched vulnerabilities, that reveals a surprising disconnect that merits a closer look. So we mapped the survey data to our maturity model – the only way to raise the bar for vulnerability management is to show IT leaders how to transition their programs from managing vulnerabilities to remediating them.”

Key research findings

  • The most mature element of enterprise vulnerability management programs are vulnerability scanning (72%), followed by the effective use of vulnerability remediation tools (49%) and vulnerability prioritization (44%).
  • The three least-mature elements are orchestrated, collaborative remediation (48%), continuous, automated remediation (48%) and business alignment around cyber hygiene objectives (31%). This indicates that vulnerability management processes are siloed, ad-hoc, and inefficient, calling into question their ability to produce outcomes that actually remediate vulnerabilities and secure IT.
  • 89% of security and IT teams say they spend at least some time collaborating with cross-functional teams to remediate vulnerabilities, with 42% reporting they spend “a lot” or “too much” (7%) time every week working with other teams. A notable 83% of companies that said they spend too much time collaborating with other teams have 500-1,000 employees.
  • Roughly 50% of IT and security teams share responsibility for key remediation functions (identifying vulnerabilities, prioritization, crafting remediation strategies, deploying patches and remedies, etc.), revealing an opportunity to facilitate more effective and efficient collaboration by clearly defining the division of labor.

enterprise programs

“Vulnerability scanning and prioritization are essential functions, but they are the bare minimum – not what constitutes a mature program,” Bar-Dayan continues.

“In our experience, program bottlenecks are further along in the remediation lifecycle, stemming from inefficient cross team collaboration. Changing that requires organizations to update and automate their remediation processes. It’s a serious undertaking, but one that transforms vulnerability management programs into a powerful lever for shrinking security debt and strengthening the company’s security posture.”

Data protection critical to keeping customers coming back for more

Although consumers remain concerned about sharing personal data with companies, the results of a Privitar survey highlight an opportunity for businesses to take a leadership role and build brand loyalty by protecting their customers.

customers data protection

The report found that more than three-quarters of respondents are concerned or very concerned about protecting their personal data, with 42 percent of consumers saying they wouldn’t share sensitive data (e.g. name, address, email address, phone number, location information, health information, banking information, social security number) with a business for any reason.

As consumers grow increasingly apprehensive when it comes to their data, business success will depend on an organizations’ ability to prioritize and successfully execute on privacy initiatives.

Disconnect between consumer sentiment and actions surrounding data protection

When it comes to the management of their data, many consumers aren’t fully aware of how brands are securing their personal information. According to the survey, 43 percent of consumers don’t know if they’ve worked with a business that has been impacted by a data breach.

When it comes to privacy notices, 28 percent admit to not reading privacy notices at all and 42 percent admitted to only skimming the text. These findings point to a growing sentiment that data privacy should be the responsibility of the business – not the customer. With this, businesses have a tremendous opportunity to make data privacy a differentiator and way to build long-term loyalty.

Pandemic creating more data sharing opportunities, still consumers are wary

Despite the growing advancements on the data protection front, 51 percent of consumers surveyed said they are still not comfortable sharing their personal information. One-third of respondents said they are most concerned about it being stolen in a breach, with another 26 percent worried about it being shared with a third party.

In the midst of the growing pandemic, COVID-19 tracking, tracing, containment and research depends on citizens opting in to share their personal data. However, the research shows that consumers are not interested in sharing their information.

When specifically asked about sharing healthcare data, only 27 percent would share health data for healthcare advancements and research. Another 21 percent of consumers surveyed would share health data for contact tracing purposes.

As data becomes more valuable to combat the pandemic, companies must provide consumers with more background and reasoning as to why they’re collecting data – and how they plan to protect it.

Upcoming U.S. elections driving consumer awareness of data privacy

Recently, there’s been increased conversation about data privacy and protection legislation across the United States, especially as the CCPA is enacted and the CDPSA awaits its fate in Congress.

As the debate grows louder across the nation, 73 percent of consumers think that there should be more government oversight at the federal and/or state/local levels. While legislation can take years to pass, it’s important for businesses to overhaul their technology and processes now to quickly address consumers’ concerns and keep business running.

Businesses must drive data privacy action

Companies rely on brand loyalty to keep their operations up and running. While often referring to affordable costs and personalization as a means to keeping business moving, many overlook the importance of instilling a more personal sense of trust within their customer base.

When working with a business, 40 percent of consumers think the brand’s trustworthiness is most important when it comes to brand loyalty and 31 percent say it’s the brand’s commitment to protecting their data.

Evenly matched up with the 30 percent of consumers who believe customer service matters most, the results prove that data protection is just as critical to keeping customers coming back for more.

However, broken trust and lost responsibility for protecting that data have severe consequences, with 24 percent saying they have either stopped doing business or done less business with a company after it was breached.

As markets grow increasingly competitive in a fluctuating economy, it’s critical for businesses to keep customer loyalty high – and as such, be more open and transparent with how they’re using personal data.

“The global COVID-19 pandemic has underscored the importance of the trust relationship companies and governments need to build with consumers in an increasingly digital world,” said Jason du Preez, CEO, Privitar.

“The results of the survey affirm the growing need for brands to focus on building and maintaining this trust, starting first and foremost with protecting customer data. As more businesses utilize the cloud to enable data driven insights, a firm commitment to data privacy will help to ensure long-term loyalty, consumer satisfaction and shareholder value.”

Telehealth is the future of healthcare, but how secure is it?

54 percent of Americans have opted for virtual visits during pandemic, a CynergisTek survey reveals. Of those, more than 70 percent of respondents plan to continue to use telemedicine post-pandemic.

telehealth security

However, healthcare providers should note that privacy and protection of sensitive health data was a major concern for telemedicine users and breaches could prompt patients to switch doctors.

“The rapid growth of telehealth has accelerated to a level we wouldn’t have expected to see over a 10-year timeframe,” said Caleb Barlow, president and CEO of CynergisTek.

“However, major vulnerabilities are emerging around privacy and security standards for video conferencing and messaging apps when used for telehealth (such as consumer technologies like Zoom), which can be easily infiltrated – providing hackers with additional opportunities to breach highly-sensitive information.”

Delaying in-person visits, spurring rise of telehealth

During the pandemic, 56 percent of Americans have considered postponing non-emergency medical appointments until the COVID-19 pandemic ends. When put in a hypothetical situation where they would need medical care during the pandemic, the types of appointments Americans are postponing include:

  • Vaccines: 25 percent of Americans would postpone annual vaccines such as a flu shot until the pandemic was resolved.
  • Annual physicals: Nearly 40 percent are considering postponing physical exams for adults and child wellness exams.
  • Dental and vision exams: 45 percent of consumers said they would postpone their dental/orthodontics check-up amid the COVID-19 pandemic, followed by 43 percent postponing an eye exam.
  • Elective cosmetic procedures: More than 40 percent report considering putting off elective cosmetic services and surgeries (i.e. Botox, breast augmentation, etc).
  • Elective surgery: 35 percent report considering pushing out surgeries like hip and knee replacements until after the pandemic.

As Americans weigh their comfort level on what medical services require in-person visits with a physician or healthcare provider, telehealth options have skyrocketed as a popular alternative, providing convenience and access at a time when many are canceling appointments out of an abundance of caution.

According to the survey, while 39 percent of Americans opted for in-person visits, more than 54 percent of respondents opted for telehealth options with phone consultations and video visits being the two most popular. When examining consumers’ willingness to using telehealth post COVID-19, the survey found:

  • Of those who have used telehealth options during the COVID-19 pandemic, 73 percent report they will continue virtual visits after the pandemic passes.
  • 79 percent of male respondents who have used a telehealth solution during the COVID-19 pandemic will continue using them post-COVID, compared to 67 percent of females.
  • Millennials are statistically more likely than any other generation to continue using telehealth options after the pandemic has passed (81 percent), followed by Gen X (79 percent).
  • In a hypothetical situation where they needed medical care, 25 percent of Americans would not consider using a telehealth solution for any of the appointments or procedures types presented – this number is significantly higher among Baby Boomers (41 percent) and the Silent Generation (59 percent).

Embracing telehealth and balancing security needs to protect patients

While urgent visits require in-person consultation, Americans are looking to telehealth to fill in the gap for more routine types of care.

In a hypothetical situation where they’d need medical care or advice, nearly 30 percent of respondents would also look to telehealth for chronic care check-ups (29 percent) or annual physical and children’s wellness exams (27 percent).

While patients are embracing telehealth, providers must prioritize security when rolling out phone and virtual services or else they risk potential breaches of sensitive patient data.

A recent report found an increase in nefarious attacks targeting video conferencing tools like Zoom, reinforcing the need for healthcare providers to reassess their security posture and fortify their defenses to reflect this new reality, potentially losing their patients’ trust and business.

48 percent of respondents said they would be unlikely to use telehealth solutions again if their personal health data was hacked due to a telemedicine-related breach.

  • Women are more unlikely than males to use telehealth solutions again if their health information was involved in a telemedicine-related breach (54 percent of women vs. 41 percent of men).
  • Baby Boomers and the Silent Generation are the two groups most unlikely to return to telehealth solutions if their data was involved in a telehealth-related breach (62 and 65 percent respectively).

“We find ourselves in a very unique scenario, where consumers had to almost accept telehealth overnight,” said Russ Branzell, CEO of the College of Healthcare Information Management Executives.

“The progress has been amazing to see in creating easier access to care while reducing the burden on both providers and patients. However, we must remain vigilant in our efforts to protect and secure telehealth and other digital health technologies.

“With the opportunities of digital health also come inherent security risks – but digital health’s risks are manageable. It is important for healthcare providers to take data privacy and security seriously in order to ensure that digital health platforms like telehealth remain an essential part of the future of patient care.”

“We appreciate that this is a new development and healthcare providers are balancing all the new demands the pandemic has created,” said David Finn, Executive Vice President of Strategic Innovation of CynergisTek.

“However, the first step is to assess how the data is encrypted and who is authorized to access this data. From there, IT teams should work closely with leadership to fill in the security gaps on telehealth solutions that protect patients while also providing the convenience.”

Publicly reported data breaches down 52%, exposed records way up!

Although the number of publicly reported data breaches stands at its lowest in five years, the number of records exposed is more than four times higher than any previously reported time period, a Risk Based Security report reveals.

reported data breaches down

“The striking differences between 2020 and prior years brings up many questions,” commented Inga Goddijn, Executive Vice President at Risk Based Security. “Why is the breach count low compared to prior years? What is driving the growth in the number of records exposed? And perhaps most importantly, is this a permanent change in the data breach landscape?”

The report explores in detail how supply chain disruptions, brought on by the COVID-19 pandemic, has impacted data breach reporting and influenced other trends. In addition, Risk Based Security explains the cause behind the alarming amount of records exposed.

reported data breaches down

“Misconfigured databases and services have been the key driver behind the growing number of records exposed. When entire databases are left open and freely accessible, a considerable amount of data is put at risk. It is a small handful of these events in Q2 that are responsible for the explosion in the number of records exposed. In the second quarter of 2020, just two breaches alone were responsible for more than 18 billion of the 27 billion records put at risk,” Goddijn concluded.

Healthcare breaches declined sharply during the first half of 2020

This has been a very challenging year. Despite the COVID-19 outbreak starting in the first half of 2020, data analyzed from the Health and Human Services (HHS) Office for Civil Rights (OCR) Breach Portal shows that the number of patient data records breached dramatically declined during the early stages of the pandemic. Healthcare orgs too busy to report CI Security analysts assessment indicates that the number of breach reports in the first half of 2020 … More

The post Healthcare breaches declined sharply during the first half of 2020 appeared first on Help Net Security.

Cyber crisis response failing to adapt to modern threats

Today, a stark disconnect exists between the inadequacy of crisis exercising and the desire to build an effective cyber crisis response function, according to an Osterman Research study.

cyber crisis response

The report into senior security leaders at 402 organizations with an average of 1900 employees in the US and UK found nearly 40% are not fully confident in their teams training to handle a data breach if one happened that week.

A spike in ransomware attacks

Looking at the evolution of ransomware alone, the number of ransomware detections in business environments rose by 365% between Q2 2018 and Q2 2019, and global organizations have seen a 148% spike in ransomware attacks amid COVID-19.

Meanwhile, more than a third of organizations surveyed say they space their tabletop exercises a year – sometimes two – apart, with 65% consisting of reviewing PowerPoint slides. In fact, slide-based sessions are nearly 20 times more common than practicing simulations and 64% ran three or fewer scenarios during their last exercise.

“If you did your ransomware training in January, you’re likely five ransomware techniques behind the curve now,” said James Hadley, CEO of Immersive Labs.

“With three quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.”

There is a need for more –and modernized – cyber training across organizations, not just on the security team.

Over reliance on plans contributes to low IR confidence

Despite organizations’ low confidence in their IR preparedness, 61% of respondents think having an IR plan is the single most effective way to prepare for a security incident. In fact, twice the amount of respondents thought an IR plan was more effective than regular table-top crisis exercising.

When they do perform crisis exercises, nearly 40% of all senior security leaders surveyed said the last exercise generated no action from the business.

Senior cybersecurity leadership skipping crisis exercises

Only a fraction of people who will be involved in a real crisis are present in training. A quarter of organizations surveyed ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members, although the survey showed impact on brand is more important in security leaders’ minds when running crisis exercises at 47%, than share price (24%) or liquidity (27%).

Nearly half of security leaders said their organizations do not have a cross disciplinary cyber crisis group, of those who do, only 17% met monthly.

The pandemic exacerbates challenges with the human factor

20% of respondents said they find it impossible to effectively involve people in crisis response remotely from other geographies. Add to that, the human element of the cyber equation is being overlooked by crisis response exercises with only 15% saying they are focused on stress testing human cyber readiness.

cyber crisis response

Technology investments aren’t enough

Technology investments can’t save an organization alone, it’s time to focus on people. Nearly 60% of respondents think the best way to prepare for a crisis incident is to buy more technology, and more are interested in covering themselves legally (38%) than running effective tabletop exercises and fire drills to train their teams (32%).

“Dusting off the three-ring binder crisis plan does not cut it today,” added Hadley. “In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.

“Micro-drills, or very focused exercises, designed to address particular risks must make their way into the mix. Much like exercising to stay fit, this needs to happen with regularity in dynamic environments, and involve all the right people, in order to keep current and be effective.”

The average total cost of a data breach declined, but costs increased for many organizations

Data breaches cost companies $3.86 million per breach on average, and compromised employee accounts are the most expensive root cause.

cost data breach

Based on in-depth analysis of data breaches experienced by over 500 organizations worldwide, 80% of these incidents resulted in the exposure of customers’ personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses.

As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organizations can suffer if this data is compromised.

Conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on in-depth interviews with more than 3,200 security professional in organizations that suffered a data breach over the past year. Some of the top findings from this year’s report include:

Smart tech slashes breach costs in half: Companies who had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn’t have these tools deployed – $2.45 million vs. $6.03 million on average.

Paying a premium for compromised credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.

Mega breach costs soar by the millions: Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost companies $364 million on average, a cost increase of $19 million compared to the 2019 report.

Nation state attacks: Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.

“When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies,” said Wendi Whitmore, Vice President, IBM X-Force Threat Intelligence. “At a time when businesses are expanding their digital footprint at an accelerated pace and security industry’s talent shortage persists, teams can be overwhelmed securing more devices, systems and data. Security automation can help resolve this burden, not only enabling a faster breach response but a significantly more cost-efficient one as well.”

Employee credentials and misconfigured clouds

Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40% of malicious incidents. With over 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches studied, businesses should rethink their security strategy via the adoption of a zero-trust approach – reexamining how they authenticate users and the extent of access users are granted.

Similarly, companies’ struggle with security complexity – a top breach cost factor – is likely contributing to cloud misconfigurations becoming a growing security challenge. The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20% of the time, increasing breach costs by more than half a million dollars to $4.41 million on average – making it the third most expensive initial infection vector examined in the report.

State sponsored attacks strike heaviest

Despite representing just 13% of malicious breaches studied, state-sponsored threat actors were the most damaging type of adversary according to the 2020 report, suggesting that financially motivated attacks (53%) don’t translate into higher financial losses for businesses. The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high value data targeted, often result in a more extensive compromise of victim environments, increasing breach costs to an average $4.43 million.

In fact, respondents in the Middle East, a region that historically experiences a higher proportion of state-sponsored attacks compared to other parts of the world , saw an over 9% yearly rise in their average data breach cost, incurring the second highest average breach cost ($6.52 million) amongst the 17 regions studied. Similarly, the energy sector, one of the most frequently targeted industries by nation states, experienced a 14% increase in breach costs year over year, averaging $6.39 million.

Advanced security technologies prove smart for business

The report highlights the growing divide in breach costs between businesses implementing advanced security technologies and those lagging behind, revealing a cost-saving difference of $3.58 million for companies with fully deployed security automation versus those that have yet to deploy this type of technology. The cost gap has grown by $2 million, from a difference of $1.55 million in 2018.

Companies in the study with fully deployed security automation also reported significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis. The report found that AI, machine learning, analytics and other forms of security automation enabled companies to respond to breaches over 27% faster than companies that have yet to deploy security automation – the latter of which require on average 74 additional days to identify and contain a breach.

Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach. According to the report, companies with neither an IR team nor testing of IR plans experience $5.29 million in average breach costs, whereas companies that have both an IR team and use tabletop exercises or simulations to test IR plans experience $2 million less in breach costs – reaffirming that preparedness and readiness yield a significant ROI in cybersecurity.

cost data breach

Additional findings from this year’s report

  • Remote work risk will have a cost: With hybrid work models creating less controlled environments, the report found that 70% of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.
  • CISOs faulted for breaches, despite limited decision-making power: Forty-six percent of respondents said the CISO/CSO is ultimately held responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
  • Majority of cyber insured businesses use claims for third party fees: The report found that breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. In fact, of these organizations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% of organizations used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.
  • Regional and industry insights: While the U.S. continued to experience the highest data breach costs in the world, at $8.64 million on average, the report found that Scandinavia experienced the biggest year over year increase in breach costs, observing a nearly 13% rise. Healthcare continued to incur the highest average breach costs at $7.13 million — an over 10% increase compared to the 2019 study.

Organizations with poor privacy practices 80% more likely to suffer data breach

There’s a predictive relationship between responsible privacy practices and security outcomes, according to Osano.

privacy practices

Companies with inadequate data privacy practices are 80 percent more likely to suffer a data breach than those with the highest-ranked privacy practices and will face fines seven times larger than companies with the best scores in the event of a data breach.

Privacy issues

  • Companies with the lowest privacy scores lost 600% more records than high-scoring companies.
  • The worst privacy actors are the least likely to be able to retrospectively identify the root cause of a breach.
  • Of the entities that get breached, governments have the worst scores.
  • Educational and government websites are 15x more likely to experience a breach than commercial sites.

“In the face of nonstop breaches and increased data security awareness, consumer and shareholder confidence in businesses is slowly eroding. Businesses that fail to protect sensitive data will face serious negative consequences, and the report proves just how these phenomena move hand-in-hand.” said Osano CEO, Arlo Gilbert.

“There is a perception that privacy issues are akin to a speeding ticket – a risk worth running. Companies that don’t change their perception are facing higher odds of experiencing a data breach and losing the trust they’ve built with their customers.”

Third parties responsible for most data breaches

The average company shares its data with 730 different vendors, and according to the Internal Auditors Research Foundation, third parties were responsible for two out of every three data breaches.

Many companies are lagging behind current data privacy requirements. By prioritizing best-in-class privacy practices, companies can reduce the risk of security incidents and demonstrate trustworthiness to customers.

Human error: Understand the mistakes that weaken cybersecurity

43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company, according to a Tessian report.

human error cybersecurity

With human error being a leading cause of data breaches today, the report examines why people make mistakes and how they can be prevented before they turn into breaches.

Human error: The impact on cybersecurity

When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.

47% of employees cited distraction as a top reason for falling for a phishing scam. This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.

In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with 17% of those emails going to the wrong external party.

This simple error leads to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, one-fifth of respondents said their company had lost customers as a result of sending a misdirected email, while 12% of employees lost their job.

The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.

How stress impacts cybersecurity

The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).

It is worrying, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while 46% of employees have experienced burnout.

Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.

Jeff Hancock, a professor at Stanford University and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity.

The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret.

Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”

human error cybersecurity

Why age matters

The report also shows that age, gender and industry play a role in people’s cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t work in preventing incidents of human error. Findings include:

  • Half of employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.
  • 65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.
  • 70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.
  • Workers in the Technology industry were the most likely to click on links in phishing emails, with 47% of respondents in this sector admitting they had done so. This was closely followed by employees in Banking and Finance (45%).

Tim Sadler, CEO of Tessian said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time.

“To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”

Most global brands fail to implement security controls to prevent data leakage and theft

The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.

global brands security controls

Global brands fail to implement security controls

As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.

There’s a troubling lack of security controls required to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting, and credit card skimming. These attacks exploit vulnerable JavaScript integrations running on 99% of the world’s top websites, Tala Security reveals.

The report indicates that security effectiveness against JavaScript vulnerabilities is declining, despite high-profile attacks and repeated industry warnings over the past 18 months, including the largest GDPR fine to date.

Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript.

In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.

Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.

JavaScript risk has increased in 2020

The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019. JavaScript powers richness but also the framework of what renders on customer browsers, including images, style sheets, fonts, media and content from 1st party source- the site owner.

Content delivered by third-party JavaScript integrations

58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above.

This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.

Websites expose data to an average of 17 domains

Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.

While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.

Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.

No attack is more widespread than XSS

While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

Standards-based security controls exist that can prevent these attacks. They are infrequently applied.

Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:

  • Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
  • 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
  • Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.

New threat environment elements and global attack trends

There has been an increase in both cyberattack volume and breaches during the past 12 months in the U.S. This has prompted increased investment in cyber defense, with U.S. businesses already using an average of more than nine different cybersecurity tools, a VMware survey found.

threat environment elements

Key findings

  • 92% said attack volumes have increased in the last 12 months, the survey found.
  • 97% said their business has suffered a security breach in the last 12 months. The average organization said they experienced 2.70 breaches during that time, the survey found.
  • 84% said attacks have become more sophisticated, the survey found.
  • 95% said they plan to increase cyber defense spending in the coming year.
  • OS vulnerabilities are the leading cause of breaches, according to the survey, followed by web application attacks and ransomware.
  • US companies said they are using an average of 9 different security technologies to manage their security program, the survey found.

Common breach causes in U.S.

The most common cause of breaches in the U.S. was OS vulnerabilities (27%). This was jointly followed by web application attacks with 13.5% and ransomware with 13%. Island-hopping was the cause of 5% of breaches.

Rick McElroy, Cyber Security Strategist at VMware Carbon Black, said: “Island-hopping is having an increasing breach impact with 11% of survey respondents citing it as the main cause. In combination with other third-party risks such as third-party apps and the supply chain, it’s clear the extended enterprise is under pressure.”

Complex multi-technology environments

US cybersecurity professionals said they are using an average of more than nine different tools or consoles to manage their cyber defense program, the survey found. This indicates a security environment that has evolved reactively as security tools have been adopted to tackle emerging threats.

“Siloed, hard-to-manage environments hand the advantage to attackers from the start. Evidence shows that attackers have the upper hand when security is not an intrinsic feature of the environment. As the cyber threat landscape reaches saturation, it is time for rationalization, strategic thinking and clarity over security deployment,” said McElroy.

Supplemental COVID-19 survey in U.S.

The latest research was supplemented with a survey on the impact COVID-19 has had on the attack landscape. According to the supplemental survey of more than 1,000 respondents from the U.S., UK, Singapore and Italy, 88% of U.S. cybersecurity professionals said attack volumes have increased as more employees work from home. 89% said their organizations have experienced cyberattacks linked to COVID-19 malware.

Key findings from the supplemental U.S. COVID-19-focused survey:

  • 89% said they have been targeted by COVID-19-related malware.
  • Inability to institute multifactor authentication (MFA) was reported as the biggest security threat to businesses during COVID-19, the survey found.
  • 83% reported gaps in disaster planning around communications with external parties including customers, prospects, and partners.

Said McElroy: “The global situation with COVID-19 has put the spotlight on business resilience and disaster recovery planning. Those organizations that have delayed implementing multi-factor authentication appear to be facing challenges, as 32% of U.S. respondents say the inability to implement MFA is the biggest threat to business resilience they are facing right now.”

Exposing gaps in a disaster recovery plan

U.S. survey respondents were asked whether COVID-19 had exposed gaps in their disaster recovery plans, and to indicate the severity of those gaps. Their responses showed that:

  • 83% of respondents reported gaps in recovery planning, ranging from slight to severe.
  • 83% said they had uncovered gaps in IT operations.
  • 84% said they encountered problems around enabling a remote workforce.
  • 83% said they’ve experienced challenges communicating with employees
  • 83% said they had experienced difficulty communicating with external parties.
  • 63% said the situation uncovered gaps around visibility into cybersecurity threats.

“These figures indicate that the surveyed CISOs may be facing difficulty in a number of areas when answering the demands placed on them by the COVID-19 situation,” according to McElroy.

Risks directly related to COVID-19 have also quickly emerged, the survey found. This includes rises in COVID-19 malware which was seen by 89% of U.S. respondents.

Said McElroy: “The 2020 survey results suggest that security teams must be working in tandem with business leaders to shift the balance of power from attackers to defenders. We must also collaborate with IT teams and work to remove the complexity that’s weighing down the current model.

“By building security intrinsically into the fabric of the enterprise – across applications, clouds and devices – teams can significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.”

2020: The year of increased attack sophistication

There was an increase in both cyberattack volume and breaches during the past 12 months in the U.S. This has prompted increased investment in cyber defense, with U.S. businesses already using an average of more than nine different cybersecurity tools, a VMware survey found.

2020 increased attack sophistication

Increased attack sophistication in 2020

Key survey findings from U.S. respondents:

  • 92% said attack volumes have increased in the last 12 months, the survey found.
  • 97% said their business has suffered a security breach in the last 12 months. The average organization said they experienced 2.70 breaches during that time, the survey found.
  • 84% said attacks have become more sophisticated, the survey found.
  • 95% said they plan to increase cyber defense spending in the coming year.
  • OS vulnerabilities are the leading cause of breaches, according to the survey, followed by web application attacks and ransomware.
  • US companies said they are using an average of 9 different security technologies to manage their security program, the survey found.

Common breach causes in U.S.

The most common cause of breaches in the U.S. was OS vulnerabilities (27%). This was jointly followed by web application attacks with 13.5% and ransomware with 13%. Island-hopping was the cause of 5% of breaches.

Rick McElroy, Cyber Security Strategist at VMware Carbon Black, said: “Island-hopping is having an increasing breach impact with 11% of survey respondents citing it as the main cause. In combination with other third-party risks such as third-party apps and the supply chain, it’s clear the extended enterprise is under pressure.”

Complex multi-technology environments

US cybersecurity professionals said they are using an average of more than nine different tools or consoles to manage their cyber defense program, the survey found. This indicates a security environment that has evolved reactively as security tools have been adopted to tackle emerging threats.

Said McElroy: “Siloed, hard-to-manage environments hand the advantage to attackers from the start. Evidence shows that attackers have the upper hand when security is not an intrinsic feature of the environment. As the cyber threat landscape reaches saturation, it is time for rationalization, strategic thinking and clarity over security deployment.”

Supplemental COVID-19 survey

The latest research was supplemented with a survey on the impact COVID-19 has had on the attack landscape. According to the supplemental survey of more than 1,000 respondents from the U.S., UK, Singapore and Italy, 88% of U.S. cybersecurity professionals said attack volumes have increased as more employees work from home. 89% said their organizations have experienced cyberattacks linked to COVID-19 malware.

Key findings from the supplemental U.S. COVID-19-focused survey:

  • 89% said they have been targeted by COVID-19-related malware.
  • Inability to institute multi-factor authentication (MFA) was reported as the biggest security threat to businesses during COVID-19, the survey found.
  • 83% reported gaps in disaster planning around communications with external parties including customers, prospects, and partners.

“The global situation with COVID-19 has put the spotlight on business resilience and disaster recovery planning. Those organizations that have delayed implementing multi-factor authentication appear to be facing challenges, as 32% of U.S. respondents say the inability to implement MFA is the biggest threat to business resilience they are facing right now,” said Said McElroy.

Gaps in disaster recovery plans

U.S. survey respondents were asked whether COVID-19 had exposed gaps in their disaster recovery plans, and to indicate the severity of those gaps. Their responses showed that:

  • 83% of respondents reported gaps in recovery planning, ranging from slight to severe.
  • 83% said they had uncovered gaps in IT operations.
  • 84% said they encountered problems around enabling a remote workforce.
  • 83% said they’ve experienced challenges communicating with employees.
  • 83% said they had experienced difficulty communicating with external parties.
  • 63% said the situation uncovered gaps around visibility into cybersecurity threats.

Said McElroy: “These figures indicate that the surveyed CISOs may be facing difficulty in a number of areas when answering the demands placed on them by the COVID-19 situation.”

2020 increased attack sophistication

Risks directly related to the pandemic have also quickly emerged, the survey found. This includes rises in COVID-19 malware which was seen by 89% of U.S. respondents.

Said McElroy: “The 2020 survey results suggest that security teams must be working in tandem with business leaders to shift the balance of power from attackers to defenders. We must also collaborate with IT teams and work to remove the complexity that’s weighing down the current model.

“By building security intrinsically into the fabric of the enterprise – across applications, clouds and devices – teams can significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.”

70% of organizations experienced a public cloud security incident in the last year

70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.

public cloud security incident

Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.

“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.

“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”

The unintentional open door: How attackers break in

Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.

Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.

Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.

public cloud security incident

Public cloud security incident: The silver lining

96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.

Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.