White Paper

As Digital Transformation Takes Hold, Data Security Becomes Paramount

More data means more targets for cybercriminals, so organizations must deal with new threats.
March 03, 2020

Security threats have evolved significantly in recent years, with sophisticated attacks such as phishing and ransomware becoming commonplace. Organizations have struggled to keep up.

The root of the data security problem for most organizations has everything to do with changing technologies combined with the sheer volume of data now at stake. Digital transformation across industries in recent years has helped drive significant improvements in business management and workflows, but it has also made organizations of all sizes vulnerable to many new and shifting threats. As an enterprise expands the number of devices it has in service, and as more of these technologies become digitally connected, the chance that they will experience security issues increases as well — often in ways that are difficult to predict.

One recent report by the market intelligence firm IDC, “The Digitization of the World from Edge to Core,” (PDF) predicts that the total volume of data worldwide will increase from 33 zettabytes (one zettabyte equals 1 trillion gigabytes) in 2018 to 175ZB in 2025. Over the next five years, IDC forecasts, the Internet of Things will expand to include more than 150 billion connected devices. Data “is at the heart of digital transformation,” the report notes, and enterprises are using it “to improve customer experiences, open new markets, make employees and processes more productive, and create new sources of competitive advantage.”

The primary data-related challenge for these organizations involves its continuous management: As companies adopt digital technologies to bolster efficiencies and business intelligence, they have to ensure they can keep these systems safe from the cybercriminals who see them as their personal pots of gold. Digital innovation, notes the 2019 Global Cyber Risk Perception Survey (PDF) from Microsoft and Marsh, is critical to success for most businesses, but it also “often adds to the complexity of an organization’s technology footprint, including its cyber risk.” When Microsoft and Marsh polled 1,500 business leaders around the world, 79 percent of respondents ranked cyber risk among the five most significant concerns for their organization, and many indicated they worried that they lacked the ability to manage such risks. According to the survey: 18 percent of respondents said they had “no confidence” their organization was capable of understanding and assessing cyber risks; 19 percent said they didn’t believe their organization could prevent cyberattacks; and 22 percent indicated they lacked the ability to respond to and recover from cyber events.

279 days

The average amount of time needed to detect and contain a cybersecurity breach

Source: Ponemon Institute, “Cost of a Data Breach Report 2019,” June 2019

New Cyber Risks, New Threats to Data

So, what “cyber risks” do organizations actually face? On a macrolevel, according to another recent report — “State of Enterprise Risk Management 2020” by the IT governance association ISACA, the CMMI Institute and Infosecurity Group — organizations report that the biggest threats to cybersecurity include “changes/advances in technology” (64 percent), “changes in the types of threats” (60 percent), “too few security personnel” (52 percent), “missing skills in existing cybersecurity team personnel” (51 percent) and “increased number of threats and/or increased frequency of threat occurrence” (45 percent). 

But the specific lines of attack vary significantly. For example, many cybercriminals exploit frontline employees through social engineering to gain access to an organization’s information systems. Phishing attacks that use phony email to exploit users and steal their login credentials are also common. Another common attack vector is malware (including mobile malware) delivered via email as an image, a PDF or a link to a malicious website. And with many attacks, there’s the added threat that the infiltration may go undetected for an extended period. Median “dwell time,” as it’s known, has decreased, thanks in part to better awareness of cybercrime and new detection technologies, but as any company that has a cybercriminal who has been prowling through its systems unnoticed will attest, a dwell time of any length is far too long.

Once a cybercriminal has access to an organization’s systems, anything could happen next. A company hit with encryption ransomware might find it impossible to access important files unless it pays a substantial fee in cryptocurrency to the attacker. Or the cybercriminal might threaten to publicize sensitive data and expose the company in ways that could damage its reputation. A malware infection on the systems of a major retailer could lead to the exposure of customer credit card accounts, while a similar attack on the financial systems of a university might threaten the private data of faculty and students. A 2019 IDG Research/CDW survey of more than 400 IT professionals and business executives at companies with 250 or more employees asked participants to rank the specific cybersecurity risks that concerned them the most. Malware, viruses and worms were at the top of their list, followed by identify theft, data tampering, and ransomware. Slightly less concerning to those who were polled: a slew of other potentially ruinous cybercrimes, including unauthorized access to corporate financials, network denial of service, and espionage access to trade secrets.

Finally, many within the information security community believe that artificial intelligence is poised to revolutionize how cybercriminals work. Cyberattackers, explained an October 2019 article on the information security website Dark Reading, can use AI and deep learning to create “deepfakes,” for example, where a person’s voice or image is superimposed over another’s to trick the listener or viewer into doing something against their interest. The author cites one instance where a cybercriminal used AI to dupe an energy business executive into wiring $243,000 to a company that didn’t exist.

It’s the potential financial impact of cybercrime, in fact — and the fear that a breach may go uncontained to the point where the damage becomes irreversible — that keeps many IT professionals up at night. According to the Ponemon Institute’s “2019 Cost of a Data Breach Report,” the average data breach lifecycle — the time it took for an organization to identify and contain a breach — rose 4.9 percent between 2018 and 2019 and is now up to 279 days. (That figure is for breaches of all kinds, including those that are criminal in nature and those that occur accidentally. In the case of criminal attacks, which are responsible for more than half of all breaches, the data breach lifecycle is now 314 days.) Longer breach lifecycles, the Ponemon report notes, inevitably lead to higher costs. The average total cost of a breach in 2019 was $3.9 million among organizations worldwide.

To learn more about how you can improve your data security, read the CDW white paper “Protecting Data in a Shifting Security Landscape” from CDW.