2017 Year-end Cybersecurity Report

Image: @stemdotorg


Written by: Andrew B. Raupp / @stemceo

The digital revolution that we’re currently living through has already made the world better in a number of immeasurable ways. In just a few short years it’s become possible to work anywhere, anytime, thanks to the power that cloud computing brings to the table (1). Information sharing has become effortless and, thanks to analytics, largely automated (2). Even industries that are largely disconnected from the tech sector now rely on these types of advancements on a daily basis to work smarter, not harder, improving bottom lines across the board.

Unfortunately, the “always connected” environment that we’re now living in has also made the world far more dangerous at the same time — particularly as far as cybersecurity is concerned. According to a study that was recently conducted in association with IBM and the Ponemon Institute, the average cost of a single data breach incident is on the rise (3). Last year, the consolidated cost of a single event grew to a new record high of $4 million — up from the $3.8 million total the previous year. If you consider things in terms of each record that is lost, stolen or otherwise compromised, that breaks down to a cost to businesses of roughly $158 — also up from its previous record high of $154.

In an effort to keep up with the rapidly changing demands of an inherently dangerous Internet-driven culture, cybersecurity as a very concept has had to evolve just as rapidly. Even the United States government has begun to acknowledge just what a pressing issue this is with cybersecurity becoming a major focus of the Department of Homeland Security in recent years (4).

Understanding what cybersecurity is, why it’s important, the types of threats it helps to protect us against and the future of an entire industry is one of the keys to remaining protected in the understandably uncertain years to come.

What is Cybersecurity?

“Cybersecurity” is traditionally defined as the collection of technologies, processes and best practices designed to protect IT systems around the world from harm. It’s a term that has come to encompass the techniques used not just to protect individual computers, but also hardware and software resources, entire networks and the data that moves across them on a daily basis from attack, damage and unauthorized access (5).

It’s important to understand that in today’s world, cybersecurity encompasses both digital technologies (like proactive network scanning) and physical security (like data warehouse management systems) (6). Everyone from private businesses to government agencies to financial institutions, medical organizations and beyond work diligently to ward off the growing number of cyber attacks that are happening each day, both in an effort to safeguard confidential business or personal information and (in the case of the government) protect our national security.

The key takeaway is that in 2017, “cybersecurity” doesn’t describe any one particular solution or technique — it’s a combination of elements that, when taken together, all add up to something meaningful and proactive. Everything from traditional antivirus software to proactive network scanning, disaster recovery and business continuity planning efforts, operational physical security and even end-user education is all essential in terms of fighting off modern day threats.

To the last point, end-user education is simultaneously one of the most “low tech” and essential ways for a business to stay protected in the digital age. While it’s true that many newer attacks are growing more sophisticated by the day, the “tried but true” techniques that have been around as long as the Internet can still be alarmingly effective. The massive Russian cyber attackthat ended with the release of nearly 10 years worth of emails that were damaging to Hillary Clinton’s 2016 presidential campaign, for example, had its roots in one of the oldest malicious techniques that exists: a phishing attempt (7).

In March of 2015, Clinton campaign chairman John Podesta received an email saying that hackers were in the process of trying to infiltrate his Gmail account. The problem was that the email wasn’t legitimate at all — it was a counterfeit Google email aimed at tricking him into entering his username and password (7). After clicking on the fraudulent link and falling directly into the hands of hackers, the rest is history. Remove politics from the equation: had John Podesta not fallen victim to one of the most “low tech” methods of intrusion that currently exists, the world would likely look very different today.

All of this underlines the importance of looking at cybersecurity in the modern era less as any one particular technique and more as a complicated network of systems and processes, all working in tandem to guarantee 100% proactive protection at all times.

Image: @stemdotorg


The Importance of Cybersecurity: By the Numbers

John Podesta and the Hillary Clinton campaign are not alone — it is growing increasingly common to wake up and read about yet another massive data breach that has struck some of the largest organizations on Earth. Consider the following statistics as made available from a study from the Identity Theft Resource Center:

  • Between January 1, 2005 and February 8, 2017 there were over 7,000 different breaches confirmed by media sources and/or notifications from government agencies.
  • Throughout the course of those breaches, the 888,600,656 compromising records were stolen.
  • In 2015 alone there were over 169 million records stolen in 781 breaches across sectors like healthcare, education, financial, business and government.
  • In addition to hacking or computer intrusion (which includes things like phishing, ransomware and other malware), the leading causes of many of these breaches included things like insider theft, physical theft, employee error, employee negligence, improper disposal, unauthorized access and vulnerabilities that could be attributed to a subcontractor, third party or business associate.
  • This is a trend that shows no signs of slowing down anytime soon. In 2015, the total number of data breaches and other security incidents rose by an astounding 38% over 2014.

You would think that with numbers like these, people and especially businesses all over the world would already be taking steps to protect themselves from the dangerous digital environments that we’re now operating in. Unfortunately, you would be wrong. Consider the following statistics:

  • According to the Cisco 2016 Annual Security Report, the number of small businesses in particular that are taking steps to protect themselves is actually decreasing. Only 29% used standard tools to prevent breaches in 2015, while 39% indicated that they had done so in 2014 (8).
  • Roughly 52% of those who responded to a survey said that they were confident a successful cyber attack would strike their organization at some point within the next year (11).
  • Only 38% of those who responded to a survey said that they felt their global organization was prepared to handle a “sophisticated cyber incident” executing using multiple techniques (11).
  • When surveyed, 74% of CISOs indicated that they were at least somewhat concerned about their employees stealing valuable information (11).
  • 81% of people who had become victims of a data breach said that their business did not have the necessary system in place, nor the resources to manage it, to detect data breaches in real-time. Instead, almost all of them relied on notification from a third party partner (11).

The Lurking Implications of the Internet of Things

The Internet of Things (also commonly referred to as the IoT) is a concept defining a network made up of billions of devices, all connected to both the Internet and to each other, that are creating, storing and sharing information with one another in real-time. It’s the same fundamental technology that lets you automatically adjust the temperature in your home using an app on your smartphone, or that lets you instantly share real-time healthcare information with your primary care physician using a wearable device like a smartwatch.

Now, consider two things. First, the fact that any device connected to a network — from the most powerful computer to a smart television set — is a potential vulnerability just waiting to be taken advantage of by someone who knows what they’re doing. Next, think about the fact that Cisco estimates there will be 200 billion devices all over the world that make up the Internet of Things by 2020 (13). Those two facts paint a very broad picture about the potential cybersecurity implications looming just over the horizon as the IoT becomes a more ingrained part of our lives in the not-too-distant future.

  • According to estimates from the research firm IDC, spending on the Internet of Things will top $1.7 trillion annually by 2020 (13).
  • This number is made up in part of the massive “smart home” industry, which itself generated $79 billion in revenue in 2014 (13).
  • By 2020, 90% of all cars sold worldwide will be connected in some way to the Internet of Things (13).
  • If you limit the discussion to just smart watches, fitness trackers and other types of wearable devices, there will be 173.4 million devices in the wild by 2019 according to IDC experts (13).

WIth the sheer volume of data being created and transmitted thanks to the Internet of Things alone, it is imperative that cybersecurity move away from reactive strategies of “wait and respond” and into proactive territory. Even techniques like network scanning must evolve to not only offer real-time identification, but must embrace predictive analytics in an effort to identify suspicious behaviors and patterns to stop problems before they have a chance to occur.

The Future of Cybersecurity Careers

As one would expect when talking about a topic as important and as pressing as cybersecurity, careers in the field are constantly in-demand in nearly every segment that you can think of. According to a study conducted by the University of Maryland University College, there were actually be a global shortfall of about 1.5 million positions in the field by as soon as 2019 (9).

Likewise, the demand for talented individuals trained in state-of-the-art cybersecurity techniques and systems is expected to grow rapidly — according to the Bureau of Labor Statistics, demand for information security analysts is expected to grow at 18% per year between 2014 and 2024, which is much faster than the national average for other positions (10). For reference, the media pay for an information security analyst in 2015 was $90,120 per year, which breaks down to roughly $43.33 per hour (10).

People like information security analysis are so important moving forward because they’re not just tasked with making the best use of existing technologies to allow us to stay protected. They’re also tasked with coming up with all new ones (10). As the techniques of hackers and others with malicious intentions become more sophisticated and advanced, cybersecurity efforts must change along with them. These are the people who will be mission-critical in terms of actually creating the innovative solutions needed to combat the digital threats of tomorrow, let alone the ones of today.

Potential employers for future cybersecurity professionals include nearly every sized business in every industry that you can think of. The major factor to understand about cybersecurity is that it is an issue that doesn’t discriminate. Hackers can potentially steal just as much from private citizens as they can from state governments depending on the information they obtain and the value of that data on the black market.

Even healthcare, which one probably would not think about when making a list of high value targets, is actually the single most targeted sector there is(12). A hacker who obtains someone’s credit card information might be able to make a few hundred dollars in fraudulent purchases before getting shut down. A hacker who obtains medical records, on the other hand, could potentially make hundreds of thousands of dollars in fraudulent equipment or medical purchases that can then be resold at a premium on the black market.

Because of this, cybersecurity isn’t just an in-demand form of employment — it’s needed by any business or other organization that uses the Internet in any way. Which, in 2017, is “all of them.”

In the End

Technology isn’t just an important part of our lives — it is perhaps the most important part, both in terms of our personal lives and in the world of business. “Cybersecurity” no longer involves just “making sure that your computer doesn’t have a virus” or “helping to protect you if your credit card information gets stolen on your next shopping trip.” The implications of a data breach in 2017 have potentially devastating consequences, to say nothing of how things will grow more severe incredibly rapidly as the Internet of Things and similar technologies take hold.

Cybersecurity, along with the hardworking men and women who make up this field, will become our first lines of defense to help guarantee that we as a society enjoy all of the benefits that our connected lives bring to the table with as few of the potential cyber cataclysms as possible. Make no mistake: the importance of cybersecurity as a very idea and as a value simply cannot be overstated enough.

Andrew B. Raupp is the Founder / Executive Director @stemdotorg

“Democratizing science, technology, engineering and math (STEM) education through sound policy & practice…