In today’s economy, almost every aspect of our lives and businesses is closely intertwined with technology. From banking transactions to storing personal notes, our reliance on digital systems is unparalleled. With this increasing dependence comes the need to protect our digital footprint. This is where the need of a Cybersecurity Program steps in.
What is Cybersecurity?
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes.
It’s a multidimensional field that encompasses various areas like application security, information security, network security, disaster recovery, and more. The purpose of cybersecurity is not just to prevent unauthorized access but also to create a framework for attaining and maintaining an acceptable level of information risk.1
Importance of Cybersecurity for Organizational Assets
- Protecting Business Information: Breach can lead to severe financial losses and a tainted reputation.
- Maintaining Customer Trust: A single breach can shake that trust, making it challenging to retain customers.
- Regulatory and Compliance Requirements: Many industries have strict regulatory requirements for data security. Non-compliance can result in fines and legal actions.
- Securing the Future: A well-designed cybersecurity program can prepare an organization for new challenges. In a modern day with the Internet of Things (IoT) and smart devices, the attack surface for cybercriminals is constantly expanding.
In a nutshell, the essence of cybersecurity lies in its ability to ensure the confidentiality, integrity, and availability of an organization’s assets. Cyber threats are continuously evolving, and so should the cybersecurity program.
What is information security?
Cybersecurity could be defined as a subset of information security. InfoSec is about protection of data of all mediums. When talking about cybersecurity it is essential to at least overview core concepts of InfoSec as a whole.
The above graphic encapsulates the holistic approach to information security. The core asset that has to be protected is “Information.” In the triad there are pillars of information security:
- Confidentiality – ensure data remains private;
- Integrity – ensure accuracy and consistency of data;
- Availability – ensure information is accessible when required.
Building upon these foundational principles, the second layer presents Hardware, Software, and Communication protection. Organization needs to protect physical devices, the software operating on them, and the secure transmission of data between systems in order to protect the information. Single vulnerability in any of these can jeopardize the sanctity of the core information.
The outermost layer broadens the perspective, emphasizing Physical, Personal, and Organizational Security. Beyond just digital defense, security also demands attention to the physical infrastructure, the individuals interacting with the system, and the broader organizational policies and procedures. A lot of security breaches are due to human mistakes rather than software vulnerabilities and it’s important to be aware of the risks.
Overview of Cybersecurity Mandates
Organizations must adhere to legal regulations in order to safeguard confidential data and prevent data breaches. Both the EU and US have implemented regulatory measures to ensure that organizations maintain a certain standard of cybersecurity.
EU Cybersecurity Mandates
General Data Protection Regulation (GDPR)2:
- Overview: Issued in 2016 and in effect since May 2018, GDPR is a comprehensive data protection regulation that impacts any organization processing the personal data of EU citizens, regardless of the organization’s location.
- Cybersecurity Aspects: GDPR requires organizations to implement appropriate security measures to protect personal data. In case of breach, the organization is expected to notify DPA within 72 hours from discovery.
NIS Directive (Network and Information Systems)3:
- Overview: The NIS Directive, in effect since May 2018, is legislation on cybersecurity that aims to achieve a high common level of network and information system security across the EU.
- Cybersecurity Aspects: It mandates that operators of essential services and digital service providers take appropriate security measures.
US Cybersecurity Mandates:
1. Health Insurance Portability and Accountability Act (HIPAA)4:
- Overview: HIPAA, established in 1996, defines protection for health information.
- Cybersecurity Aspects: It requires healthcare organizations to protect patient health and personal data.
2. Federal Information Security Management Act (FISMA)5:
- Overview: FISMA, introduced in 2002, requires federal agencies to develop, document, and implement information security programs.
- Cybersecurity Aspects: Agencies must take action, with the objective to mitigate risks to their information systems.
Cost of Cyber Incidents
The aftermath of a cyber incident extends far beyond immediate financial implications. The ripple effects of a breach can touch every facet of an organization, its reputation with customers and partners as well as daily operations. Let’s delve deeper into these costs:
- Direct Financial Loss: This is the most apparent cost, stemming from theft of funds, loss of assets, or ransom payments. In 2023, the average cost of a data breach was $4.45 million6.
- Regulatory Fines: Non-compliance with industry regulations can lead to substantial penalties. The General Data Protection Regulation (GDPR), for example, can fine companies up to 4% of their annual global turnover or €20 million, whichever is higher. In May 2023, the Irish Data Protection Commission fined Meta for €1.2 billion7.
- Remediation Costs: After a breach, companies need to reiterate on the security setting and spend resources on patching vulnerabilities and improving security infrastructure.
- Loss of Customer Trust: Customers entrust companies with their personal and financial data. A breach can severely damage this trust, taking years to rebuild.
- Decrease in Stock Value: Publicly traded companies can see a dip in their stock prices post a major cyber incident. Equifax’s shares, for instance, dropped more than 13% after the revelation of the attack. Twitter lost $1.3 billion in market value after the data breach.
- Disruption in Business Operations: Cyber incidents, especially ransomware attacks, can halt business operations. This downtime can result in loss of revenue.
- Loss of Competitive Edge: Stolen intellectual property can give competitors an advantage, potentially leading to long-term market share loss.
In sum, while the immediate financial implications of a cyber incident are undeniably severe, the long-term reputational and operational costs are also very important.
Benefits of having a Cybersecurity Program
Based on the aforementioned costs, we can point to the following benefits for having a well-structured security program in place:
- Avoidance of Legal Consequences and Compliance Violations
- Protection Against Downtime
- Intellectual Property Protection
- Improved Confidence and Trust
- Competitive Advantage
- Enhanced organization culture
Security Breach Stories
The power of a quick response: The Twitter Breach (2020)
Every organization is a potential target for cyber-attacks. While it’s challenging to pinpoint successful defense stories due to the myriad of cyberattacks thwarted daily, the 2020 Twitter case stands out, shedding light on dynamic response strategies when a security breach does occur. Though not without loss, the situation at Twitter could have been significantly worse, had it not been for their immediate and evolving actions.
On July 15, 2020, Twitter faced a major security breach where a 17-year-old hacker and accomplices managed to seize control of several high-profile accounts. Attack didn’t deploy “any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors,” as per the investigation report. Hacker tricked Twitter employees into relinquishing login credentials and gaining access to the Twitter Tools.
Here’s a breakdown of how Twitter navigated through this cyber storm:
Immediate Communication and Account Restoration
Twitter reached out to the impacted account owners and restored access to accounts temporarily locked out during remediation efforts, displaying a sense of urgency and responsibility.
Restricting Internal Access
To ensure ongoing account security, access to internal tools and systems was significantly limited, a necessary measure to introduce robust changes to their processes and tooling.
Post-attack, Twitter accelerated pre-existing security workstreams, improved tools, and enhanced methods for detecting and preventing inappropriate access to internal systems. They also organized company-wide phishing exercises to better equip their employees against social engineering attacks.
Human Factor in Cybersecurity
The attack was a stark reminder of the human vulnerability in cybersecurity. It emphasized the need for continuous employee education and the cultivation of a vigilant organizational culture.
Engaging with external authorities for a thorough investigation showcased a collaborative approach to understanding the breach’s dynamics and preventing future occurrences. One of the results is the Twitter Investigation Report created by the Department of Financial Services.
By disclosing the extent of the attack, Twitter provided a level of transparency that’s crucial for maintaining public trust and showcasing accountability.
The Twitter case underscores the importance of a dynamic response strategy in the face of cyber adversities. It reminds us that while technological defenses are crucial, the human element is equally significant, and a transparent, collaborative approach can significantly mitigate the damage while fostering a culture of continuous learning and improvement in cybersecurity protocols. Through such a multi-faceted approach, organizations can better prepare for, respond to, and recover from cyberattacks, turning potential crises into opportunities for enhancement and growth in the digital security landscape.
A Cautionary Tale: The Equifax Breach (2017)
The Equifax breach in 2017 starkly contrasted with Twitter’s 2020 cyberattack in terms of the nature of the breach, the company’s response, and the ramifications.
Nature of the Attack
The Equifax breach was characterized by a more traditional cyberattack vector where hackers exploited a known vulnerability in the Apache Struts web framework8 (patch for Apache Struts was released on March 7, 2017, months before attack), which Equifax failed to patch in a timely manner. On the other hand, the Twitter breach was a result of social engineering where the attackers tricked Twitter employees into providing login credentials, without leveraging any technical vulnerabilities.
Equifax disclosed the breach affecting over 140 million Americans on September 7 (data breach occurred between May and July 2017), 2017, whereas Twitter promptly communicated with impacted account owners and the broader community following the July 15, 2020, attack.
Equifax’s response was heavily criticized for its lack of promptness and effectiveness. The CEO, Rick Smith, released a video discussing the breach and the steps they were taking, including working with authorities. On the contrary, Twitter immediately restricted internal access to certain tools, communicated transparently with the affected parties, and accelerated pre-existing security projects to prevent future incidents.
Public Perception and Regulatory Scrutiny
Equifax faced significant backlash for both the breach and its response. The breach led to regulatory investigations and fines. Twitter, while also facing scrutiny, was more lauded for its transparent and dynamic response.
Post-breach, Equifax committed to enhancing its security posture, although the details and effectiveness of these measures have been a matter of discussion. Twitter was open about the security enhancements and educational exercises it undertook to prevent similar incidents in the future.
The Equifax breach had a long-lasting impact, leading to hefty fines and a settlement with federal agencies. Twitter’s breach, while significant, did not result in similar long-term financial or regulatory ramifications.
The safety and integrity of our digital assets are more crucial than ever. Cybersecurity has risen as a pivotal concern for businesses and individuals alike, it is essential for staff on all levels to be aware of the threats and how to prevent them. Both the EU and the US have recognized the significance of cybersecurity and have implemented mandates. Compliance isn’t just a legal necessity; it’s also a cornerstone of trust in today’s business world.
Real-world examples point to the necessity of security: from situations where a proactive approach helped avert major losses, to the breaches, which exposed the huge amount of data due to inadequate cybersecurity measures, the stakes are evident.
In conclusion, as we further entrench ourselves in the digital age, cybersecurity isn’t just an IT concern—it’s a business imperative. It’s not just about reactive measures; the software development process itself can be elevated to ensure compliance from the ground up. In the face of ever-evolving cyber threats, a proactive approach to cybersecurity is a necessity.
- https://www.iso.org/en/contents/data/standard/05/45/54534.html ↩︎
- https://gdpr-info.eu/ ↩︎
- https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new ↩︎
- https://www.hhs.gov/hipaa/index.html ↩︎
- https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act ↩︎
- https://securityintelligence.com/articles/cost-of-a-data-breach-2023-financial-industry/ ↩︎
- https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/ ↩︎
- https://www.synopsys.com/blogs/software-security/cve-2017-5638-apache-struts-vulnerability-explained.html ↩︎