By rights, 2015 should be the year of cyber security. After all, 2014 was the year of cyber-security failure. Just consider some of the highlights:
- JP Morgan
- Sony Pictures
- Home Depot
- Nieman Marcus
- US Postal Service
- iCloud (if none of the others mean anything to you, this one will. Just think “Jennifer Lawrence”)
That’s merely a selection of the ones that made the news this side of the pond. ITRC reports a total of 720 breaches affecting 81.6 million records. So far in 2014, in the US alone. That’s counting only breaches where personal information was affected; it doesn’t include DDoS attacks – like the one that took down 1&1 yesterday, or destructive hacks without data leakage (as far as we know) like the one that offlined Sony’s Playstation Network on Monday. Again.
What about the UK? Well, BIS’s Cyber Security report for 2014 reports that 81% of large businesses and 60% of small businesses had a breach this year, with the cost of the worst breach averaging between £600k and £1.15m for larger businesses and £65k-£115k for small ones. The ICO’s fines total for 2014 so far is £815,000 – relating mostly to breaches from prior years, of course, so we’ll only really know how 2014 turned out this time next year.
And all these scary numbers relate only to the breaches we know about. The UK report is a self-reporting survey; the ITRC report depends on published news reports. Tip, iceberg?
What else happened this year?
We finally defeated the first version of Cryptolocker, aka “ransomware”. Let this inside your perimeter and it encrypted all the files it could reach and then demanded bitcoin payment for decryption; we saw further development of malware and hacking tools for sale – or even delivered as a service; ever more super-sophisticated, probably state-sponsored spyware; massive security holes in commonly-used software including the Bash unix shell, WordPress, Windows, Office; SSL; the development of a portable toolkit for compromising contactless payment cards; the growth in hacked versions of Android apps carrying malware; cyber warfare in Syria and Iraq; the News International phone-hacking trials; a site giving access to open CCTV around the world, including nursery cams…
So here’s my festive question: what are you doing about it?
Will your New Year’s Resolution be to take cyber security seriously, or is it to continue as the Cinderella entry in the depths of your IT budget? Remember, this isn’t just about buying firewalls – it’s about attitude, procedures and training, starting in the Boardroom.
Bah humbug. Happy Christmas.