Cybersecurity and protecting our data are perhaps the most pressing topics in today’s era of work. The reality is no business is immune and we each have a role to play in protecting our business and our work. The hard truth is each business is only as strong as its weakest link—and we all must become vigilant to protect and secure our businesses. We all have a part to play if we want to keep our personal and business data safe.
We all also know each year there are millions of dollars lost to ransomware attacks from hackers. The cost to victims is soaring and is predicted it will hit a staggering $265 billion annually by 2031. Cybersecurity Ventures dire prediction is based on the premise that financial damages could soar by 30% year over year during the next decade.
With this information in hand, this begs the question: are we over exaggerating the problem? When a breach occurs are they increasing in nature and are they getting more expensive? What industries are being targeted by cyber criminals? Do we need to step up our cybersecurity training and narrow the skills gap to protect data? Is data more vulnerable when constantly transferred from the cloud or edge?
What can companies do to increase training in cybersecurity and to protect personal and business data in a hybrid world? Beyond training, what else can companies do today to protect their businesses? How are companies handling their increasing digital supply chains and the risks that come along with it? How do you believe companies can utilize AI for third-party cyber risk management?
These are the questions companies need to ask and answer before customer information is stolen and leaked. To help, we polled the experts and got candid feedback about what the future holds for cybersecurity and our businesses.
When we talk about cyber breaches, are we over exaggerating the problem?
“Not at all. In the same way certain clothes go in and out of style, so do threat actors’ preferred methods of attack. This provides them with a few advantages: the element of surprise and a ton of attention. On the other end, those dealing with these changing attack trends are often at a disadvantage.
For example, in the early stages of hybrid/remote work in 2020-2021, ransomware surged, and all sights shifted there. This called for organizations to quickly leverage a SASE (secure access service edge) model to protect against threats. What most businesses didn’t realize, however, is that other attack vectors were still gaining momentum — even if they avoided an immediate spotlight. One that went unnoticed was DDoS (distributed denial-of-service) attacks. In 2020, research showed that DDoS attacks were a growing threat and emphasized the need for organizations to proactively protect against them. Now, DDoS attacks have escalated greatly, and in the past year alone, DDoS attacks have a revival of sorts.
Because of this ongoing cycle, cybersecurity must be top of mind for all organizations as they focus not only on today’s cybersecurity threats but also on what preparations need to be made for the attacks that have yet to make headlines.” – Theresa Lanowitz, head of evangelism, AT&T Business – Cybersecurity
“In the realm of cybersecurity, it’s evident that the threat of cyber breaches is not being over exaggerated. According to IBM’s Cost of a Data Breach 2023, a striking two-thirds of data breaches can be attributed to an organization’s third-party relationships or direct attacker actions. Alarming as well, when organizations had breaches reported by the attackers themselves, the cost was on average $1 million more compared to when the organizations detected the breach internally.
A prominent target of these breaches has been the healthcare industry, experiencing a significant 53% rise in breach costs since 2020, with the average cost of a breach standing at $10.93 million, according to IBM’s study. These statistics underscore the importance of a robust IT risk management program to protect against and mitigate the impacts of data breaches, making it clear that organizations cannot afford to downplay the severity of cyber threats.” – Matan Or-EL, CEO and co-founder, Panorays
“Like other crimes, disasters, and painful experiences, it’s easy to think the problem is exaggerated and people are making it sound worse that it is … until it happens to you. While larger organizations may be able to weather the financial and reputational damage from a cyber breach, it’s been reported that 60% of small businesses will close their doors within 6-months if they are the victims of a cyber breach. These attacks are increasing across all sectors for all organization types and sizes. The threat is real, and organizations need to be prepared.” – Sam Heiney, a cybersecurity expert, Impero
“Cyber breaches are often thought of as data breaches – exposing customer data such as identity information, account passwords or payment details. However, that concept also includes breaching hardware or software systems to manipulate a device – such as accessing the braking system in an automobile or adjusting the dosage of a wearable insulin pump.
In an ever more connected world, cyber breaches are only going to increase. From the individual level to large organizations – from software to device components – and across all industries – there is the potential for vulnerabilities to be exploited. So, when we think about the possibility of a cyber breach, we must be aware that simply accessing data is not the only potential consequence.” – Ana Tavares Lattibeaudiere, executive director, GlobalPlatform
“Certainly, the media is always trying to grab our attention, but I don’t think the seriousness of the problem is being exaggerated. It’s becoming common warfare across nations to disrupt supply chains and compromise companies’ confidentiality, integrity and availability.” – Josh Heller, manager of security engineering, Digi Intl.
When a breach occurs are they increasing in nature and are they getting more expensive?
“Indeed, cyber breaches are evolving, becoming more frequent and more costly. In recent years, we’ve witnessed a surge in the sophistication and scale of cyberattacks, making them increasingly complex and challenging to counter. Attackers continuously refine their tactics, leveraging advanced technologies and strategies to breach security measures, infiltrate systems, and compromise sensitive data. This alarming trend has driven the average cost of breaches to reach an astonishing $9.48 million in the United States.
A significant contributing factor to this escalation is the expanded attack surface resulting from the growing number of companies working with third parties. As businesses widen their networks and collaborations, the attack surface expands, and unfortunately, defense mechanisms often prove insufficient. This imbalance between the increasing attack surface and inadequate defenses significantly heightens the likelihood of breaches occurring. Furthermore, the financial repercussions of breaches now extend beyond direct financial losses, encompassing regulatory fines, legal fees, reputational damage, and the expenses associated with implementing enhanced security measures. Thus, it’s imperative to invest in robust cybersecurity defenses and response mechanisms to address this mounting threat.” – Matan Or-EL, CEO and co-founder, Panorays
“There has been a definite increase in the number of breaches. Criminals have discovered ways to monetize personal data, so instead of focusing exclusively on payment processing or financial data, healthcare records, education records, and any other personal data you can think of is now targeted.” – Sam Heiney, a cybersecurity expert, Impero
“The frequency of these attacks is increasing, and they’re becoming more expensive for businesses to deal with. On average, these data breaches cost organizations seven figures and it can take them months to recover. So, unless you’re a behemoth, the devastation is definitely going to be felt. That’s why running proactive security and having an incident response program is so important. If you’re simply running reactive security, you’re putting yourself at increased risk.” – Josh Heller, manager of security engineering, Digi Intl.
What industries are being targeted by cyber criminals?
“We’re entering the next generation of computing, and businesses have witnessed a transformative surge in capabilities. While these innovations have undoubtedly ushered in new opportunities, they have paved the way for cybercriminals to exploit vulnerabilities. The landscape of cyberattacks is evolving into a realm of increased sophistication and strategic maneuvering. This evolution is particularly pronounced as we transition from conventional laptops and desktops to IoT (Internet of Things) devices. All industries are at risk of cyberattacks. However, recent research reveals that the finance industry, which historically has invested heavily in cybersecurity due to the sensitive information it handles, has the highest attack concern of all industries, with business email compromise and personal information exfiltration being the most likely perceived attacks.” – Theresa Lanowitz, head of evangelism, AT&T Business – Cybersecurity
“Cyber criminals are increasingly targeting a diverse range of industries, exploiting third-party vulnerabilities within supply chains to compromise highly valuable and sensitive data. Industries such as finance, healthcare, education, and technology have emerged as prime targets. In the finance sector, breaches like the one at KeyBank revealed how hackers stole personal data through vulnerabilities in an insurance services provider. The healthcare sector has been significantly impacted, as seen in the breach at Highmark Health, emphasizing the vulnerability even through fourth-party vendors. Educational institutions, as highlighted by the Illuminate Education cyberattack, are also attractive targets due to the wealth of sensitive student data they possess. The evolving threat landscape underscores the critical importance of robust third-party risk management across various sectors to minimize the financial and reputational damage stemming from such cyber breaches.” – Matan Or-EL, CEO and co-founder, Panorays
“The ‘traditional’ targets are still there – financial, retail, anywhere payments are processed, and criminals can access financial information. However, personal data of all types can now be monetized. There have been dramatic increases in cyber-attacks on Healthcare, Hospitality, and Education.” – Sam Heiney, a cybersecurity expert, Impero
“As we are seeing in the headlines on a weekly basis, a variety of industries are experiencing cyber-attacks. Currently, healthcare and retail are being identified as particularly vulnerable. Going forward, we should anticipate that all industries will be targeted for cyber-attacks as any connected device is exposed to that possibility.
Over 20 years ago, GlobalPlatform was established to develop standardized technologies that were first adopted by the banking industry to enable secure digital payments. We then shifted to securing the components within mobile devices and identity cards. Through the standardization of secure component technologies, the majority of the world’s credit cards, SIM and eSIM cards, identity cards, ePassports, and smart cards utilize GlobalPlatform specifications. And more than 70 billion GlobalPlatform-certified components are used in devices across market sectors, including payments, mobile connectivity and IoT. Now, we are focused on bringing industry collaboration and standardization to the automotive sector to ensure the cybersecurity of vehicle components and safeguard the deployment of connected vehicles and services.” – Ana Tavares Lattibeaudiere, executive director, GlobalPlatform
“Healthcare, financial services, retail, education, government facilities, and energies and utilities are some of the industries being targeted. In particular, I would say healthcare organizations are some of the most popular targets, consisting of about 30% of breaches.” – Josh Heller, manager of security engineering, Digi Intl.
Do we need to step up our cybersecurity training and narrow the skills gap to protect data?
“Absolutely. The escalating complexity of cyber threats, exacerbated by rapid technological advancements, requires bolstered cybersecurity training to keep up. The evident skills gap in the cybersecurity workforce poses a significant risk, leaving organizations more vulnerable to potential breaches. Despite the global cybersecurity workforce growing to a record 4.7 million, according to (ISC)2 2022 workforce study, the need for security professionals has surged by over 26% since 2021, emphasizing the urgency to fill this gap.
Strengthening cybersecurity training is also crucial to enhance individuals’ ability to detect and thwart cyber threats effectively. Despite a notable 58% improvement in identifying phishing attempts through training, 34% still fell victim to this type of cybercrime last year according to The National Cybersecurity Alliance’s Annual Cybersecurity Attitudes and Behaviors Report. The report also found that 36% of the reported incidents were phishing attacks that led to a loss of money or data, underlining the need for more comprehensive and impactful educational initiatives. This can include everything from real-world simulation exercises to simply providing ongoing support and updates on evolving cyber threats.” – Matan Or-EL, CEO and co-founder, Panorays
“For most organizations, the most significant threat vector is staff. Our people – employees, vendors, service providers, etc. – are targeted by phishing campaigns and social engineering threats. Cybersecurity training for your people is vital to protect data. Training should be mandatory and happen more than once. Threats change, people forget things. Training should include refresher courses and updates to ensure individuals retain the information and consistently put cybersecurity practices in place.” – Sam Heiney, a cybersecurity expert, Impero
“Every organization needs to have some level of training that goes beyond things like SOX compliance where the organization is only going to meet a certain bar to pass an audit. You need tailored training for your organization. If you build software services, you should have secure code training for your software developers. If your financial people are handling sensitive data, then they should have things like internal procedures and know how to handle various cybersecurity situations. There should be risk assessments done for every department. Those departments should ask themselves: What are our risks? How can we mitigate what could happen?” – Josh Heller, manager of security engineering, Digi Intl.
Is data more vulnerable when constantly transferred from the cloud or edge?
“Anything connected to the internet and transferring data is at risk. While enhancing connectivity, applications and devices connected to the cloud or edge introduce many potential entry points for cyberattacks. IoT devices, in particular, are often set and forget, with default passwords and usernames left unchanged, providing adversaries with a straightforward path to infiltrate networks laterally through these devices. The consequences of compromising many IoT devices can be severe for businesses, leading to network degradation and delayed response times. That being said, technologies such as EDR EDR (endpoint detection and response), MDR (managed detection and response), and XDR (extended detection and response) are emerging as essential requirements in bolstering cybersecurity defenses.” – Theresa Lanowitz, head of evangelism, AT&T Business – Cybersecurity
“The vulnerability of data depends on various factors, including the security measures in place and the specific transfer processes. Data can be vulnerable during transfer both from the cloud and the edge if proper encryption, authentication, and access controls are not implemented. When data is in transit from the edge to the cloud or vice versa, it’s exposed to potential threats, making secure transfer protocols crucial. Employing robust encryption and utilizing secure channels significantly mitigate the risks associated with data transfer, ensuring data remains protected regardless of its origin or destination.” – Matan Or-EL, CEO and co-founder, Panorays
“A good mind-set for data security is to assume all data is vulnerable. Period. Wherever it is stored, from wherever it is accessed. If you have financial data, or any kind of personally identifiable data, it needs to be protected. That includes on your network, in the cloud, at the edge … all of it.” – Sam Heiney, a cybersecurity expert, Impero
“I think data is more vulnerable when being transferred from edge to device. Edge devices are often less secure than cloud servers, and they’re smaller and less powerful. They might be located in remote or unsecure locations as well. So, the ability for them to be physically stolen is definitely there. Additionally, a lot of edge devices are running on software that’s outdated and has vulnerabilities, and so they become gateways for hackers to get in.” – Josh Heller, manager of security engineering, Digi Intl.
What can companies do to increase training in cybersecurity and to protect personal and business data in a hybrid world?
“To advance security, there must be a collective understanding that organizations must address cyber risks as part of their overall strategy, design, and delivery. A simple way of training staff is by ensuring they understand their role on the front line of defense. This means ensuring staff can identify threats resulting from common attacks, such as phishing and ransomware. Monitoring and mitigating against threats needs to be a continuous and conscious effort by all.” – Theresa Lanowitz, head of evangelism, AT&T Business – Cybersecurity
“To enhance training in cybersecurity and safeguard personal and business data in a hybrid world, companies should invest in comprehensive cybersecurity training programs for their employees. These programs should cover evolving cyber threats, secure coding practices, incident response, and privacy protocols.
Additionally, promoting a cybersecurity-aware culture within the organization is crucial. Regular workshops, simulated cyber-attack drills, and continuous education on emerging threats can significantly raise employees’ awareness and readiness to tackle potential breaches. Collaborating with reputable cybersecurity training providers, establishing mentorship programs, and encouraging certifications like CISSP and CISM can further bolster employees’ expertise in safeguarding data in the hybrid work landscape.” – Matan Or-EL, CEO and co-founder, Panorays
“Most organizations don’t have the resources and training budgets to create their own in-house cybersecurity training. Fortunately, there are a number of resources available with little or no cost. The NIST (National Institute of Standards and Technology) provides a list of options at Free and Low Cost Online Cybersecurity Learning Content | NIST.” – Sam Heiney, a cybersecurity expert, Impero
“There needs to be more understanding that cybersecurity professionals aren’t in abundance in an organization. They’re probably the lowest employee department of an organization. So, there needs to be more general awareness of cybersecurity threats from the board of executives down to the rest of a company so that all employees have a security mindset. Since that’s a very tall order, I think it would probably be prudent to focus on what cyber resilience means for every department in the event of a breach, even if that breach is minor. What does that department do? How did they fail gracefully? How do you minimize the impact of what happened? I think building those practices goes a long way. And then, there are more rudimentary things, like making cybersecurity training mandatory or teaching employees how not to use social media. As many people are well aware nowadays, social media is a huge attack vector for getting into a company’s supply chain.” – Josh Heller, manager of security engineering, Digi Intl.
Beyond training, what else can companies do today to protect their businesses?
“Establishing a robust security architecture is paramount in this highly interconnected world of business operations. This is accomplished through traditional security measures and the implementation of specific security tools and practices, with a prime example being threat intelligence. Think of threat intelligence as the data that helps to inform the decisions in managing the risk an organization is willing to take. Beyond the cybersecurity team, this information is beneficial because it increases your company’s resilience and enables continuation in the event of a cyber incident. For executives, threat intelligence serves as a vital tool for comprehending business risks, facilitating communication with stakeholders, and deploying resources strategically to mitigate threats. For security practitioners, it assists in setting priorities for threat management, pinpointing vulnerabilities, and proactively responding to emerging risks.” – Theresa Lanowitz, head of evangelism, AT&T Business – Cybersecurity
“In addition to training, companies can fortify their cybersecurity defenses by implementing a comprehensive TPRM (third-party risk management) program. This involves assessing third-party risk, meticulously onboarding new suppliers, and gaining full visibility into their current strengths and vulnerabilities. Alongside, a robust cybersecurity infrastructure should encompass regular security audits, penetration testing, and vulnerability assessments to proactively identify and address potential weaknesses within their systems. The integration of advanced cybersecurity technologies like intrusion detection systems, encryption tools, and multi-factor authentication adds crucial layers of protection. Establishing a clearly defined incident response plan and regularly conducting drills to ensure all employees are well-versed in how to respond in the event of a breach is paramount.” – Matan Or-EL, CEO and co-founder, Panorays
“Good security practices call for layers of defense. Multiple overlapping layers of security. Cyber security training + regular updates and patches + encryption + multi-factor authentication + role-based access controls + attribute-based access controls + network filtering and monitoring. The list of what an organization should do for security is long, but the message here is don’t rely on a single tactic. You need layers of defense. Start with consistent training, make sure you regularly update and patch your software. Layer in additional defenses and security practices alongside those to be most protected.” – Sam Heiney, a cybersecurity expert, Impero
“Training is important at an individual level. But more broadly, securing digital services and devices – from smart cards to complex smartphones and IoT devices – requires close collaboration between chip makers, OS and application developers, device manufacturers and end users.
Product certification also plays a key role in supporting a secure-by-design approach and in verifying compliance with region-specific regulations and market requirements. At GlobalPlatform, we operate functional and security certification programs to verify product adherence to GP’s technical specifications as well as market-specific configurations and security levels. Additionally, GlobalPlatform’s SESIP (Security Evaluation Standard for IoT Platforms) methodology provides IoT device makers with a simplified common and optimized approach for evaluating the security of connected products. By verifying the security of the components used within devices, organizations can further ensure the security of the final product and demonstrate adherence to most worldwide regulations. This will be imperative in reducing the costs of security and compliance that would be associated with the launch of new IoT devices and platforms.” – Ana Tavares Lattibeaudiere, executive director, GlobalPlatform
“Information security is a reoccurring effort that requires symbiosis of technology, policy, and governance. It’s important to establish a baseline information security management system that takes into account these key elements and ensures that its employees are trained to turn policies into procedures. If all you have is policy, but no reporting chain for establishing governance, your company may suffer tremendously by not having alignments on what it means to keep the confidentiality, integrity, and availability of a business in check.” – Josh Heller, manager of security engineering, Digi Intl.
How are companies handling their increasing digital supply chains and the risks that come along with it?
“In the digital landscape, increasing the number of suppliers also heightens the risks involved. This includes often underestimated risks from fourth-party suppliers – entities indirectly connected to the primary suppliers, such as subcontractors or affiliates. Despite lacking a direct contractual relationship, fourth parties may have access to critical systems and sensitive data. This access poses potential risks, as fourth parties could inadvertently or intentionally compromise security, leading to data breaches, unauthorized access, or system vulnerabilities. It’s vital to grasp these potential risks to establish a robust cybersecurity approach for both immediate and indirect supplier networks.” – Matan Or-EL, CEO and co-founder, Panorays
How do you believe companies can utilize AI for third-party cyber risk management?
“Leveraging AI offers a powerful approach to fortify TPRM solutions and expedite cyber risk management processes. AI can play a pivotal role in comprehending and analyzing questionnaires, not only aiding in generating AI-assisted questionnaire responses but also validating the authenticity of these responses. Additionally, AI showcases immense potential in the realm of threat detection, identifying risks and enabling AI-driven remediation efforts for heightened cybersecurity. For example, a straightforward questionnaire can be streamlined through NLP (Natural Language Processing) for swifter evaluation and response, showcasing the efficiency AI brings to the process.” – Matan Or-EL, CEO and co-founder, Panorays
Any additional advice you might want to add?
“Consistently practicing good security hygiene is among the most significant steps organizations can take. Conduct regular security audits of your network infrastructure and ensure timely updates of software and security protocols. This proactive approach is instrumental in pinpointing vulnerabilities and reinforcing your cybersecurity posture. Avoid letting routine tasks like patching lag behind; they are crucial for sustaining cyber resilience and ensuring reliable protection. Consider enlisting the assistance of trusted third-party advisors or external experts in cybersecurity. Their external perspective can offer fresh insights and help you implement the best cyber strategies. Lastly, engage with industry peers and partners to exchange insights and best practices. Learning from others’ experiences can provide valuable guidance in enhancing security measures.” – Theresa Lanowitz, head of evangelism, AT&T Business – Cybersecurity
“Increase your dialogue about cybersecurity. Talk regularly with your executives, employees, vendors, and service providers. Security is a shared responsibility and open communication about threats and how we defend against them is important.” – Sam Heiney, a cybersecurity expert, Impero
“Safeguarding ourselves, companies, organizations, and governments from the threat of cyber-attacks will require industry-wide collaboration, technological standardization, and certification.” – Ana Tavares Lattibeaudiere, executive director, GlobalPlatform
“If leveraged the proper way, I think AI can provide more visibility and faster reaction times to really help a lot of these vulnerable IoT devices. Smaller companies, in particular, can benefit from this because AI, in a lot of cases, is open-source technology. Therefore, they can take those data models and come up with their own ideas on how to build efficient tools.” – Josh Heller, manager of security engineering, Digi Intl.