Dive Brief:
- Businesses experience 22 security breaches annually, down from 30 last year, according to Accenture's State of Cyber Resilience survey of more than 4,600 executives. Accenture found 17% of its respondents are "leaders," those who "scale, train and collaborate more." The majority, 74%, are "average performers," non-leaders between a leader and laggard.
- Of non-leaders, 44% suffered a breach compromising more than 500,000 customer records, compared to 15% of leaders. Less than 10% of leaders faced financial penalties as a result, compared to 19% of non-leaders.
- Indirect attacks exploiting "weak links" in the supply chain or partnerships caused 40% of security breaches in 2019. Currently, organizations only protect 60% of their business ecosystem, according to the report.
Dive Insight:
Data privacy regulators consider the health of business cybersecurity programs when calculating fines. Companies face fines even if they have extensive cyber hygiene.
Regulators also consider how long it takes companies to recover when calculating fines. More than half of leaders experienced a breach for more than 24 hours, whereas 97% of non-leaders said the same, according to Accenture.
Any lag time in remediation deepens a company's chance of fines under the General Data Protection Regulation or the California Consumer Privacy Act. While GDPR went into effect in 2018, most of its penalties fines are still in the "intent to fine" stage, leaving room for companies to negotiate with regulators.
Early detection is a company's best defense from a breach. However, less than one-fourth of non-leaders are able to detect a breach within a day, compared to 88% of leaders, according to Accenture.
Data lives in motion, flowing between business partners and security systems. Bad actors find holes in data aggregators, brokers, contractors, or other service providers that sit between customers and the companies they do business with.
Quest Diagnostics and LabCorp's data breach was caused by a weak link in their business ecosystem: their billing collector. The billing company was compromised for eight months and left the two companies answering to Congress. The companies' third-party risk management was in question, their internal security programs were not.
Only 15% of organizations have some degree of confidence in how they mitigate supply chain threats, according to Microsoft. Whitelisting, a mechanism for approving connections, is a solution for assessing third parties. With whitelisting, transactions are denied by default.