“The purpose of the survey was to examine current baseline cybersecurity knowledge of state elected and appointed officials in order to identify educational needs regarding this topic,” said Todd Sander, vice president of research for the Governing Institute. “We found that, although legislators know the risks are high, many are not as involved as they could be and significant cybersecurity gaps remain.” Despite the fact that fully 8 in 10 respondents (83 percent) agree that cybersecurity is a priority for them, and nearly three quarters (72 percent) believe their state’s current level of cyber risk is moderate to high, legislators are not as immersed in state cybersecurity efforts as they could and would like to be, according to the survey. Even as cybersecurity has become an increased priority for states, only 18 percent of surveyed legislators currently sit on a committee with cybersecurity as part of its official mandate.
Here are some of the top highlights:
- 18 percent of surveyed legislators sit on a committee that designates cybersecurity as part of its official mandate,
- 43 percent of survey respondents cited funding as a limiting factor to cyberdevelopment,
- 50 percent cited personnel as a limiting factor,
- 43 percent said there is a general lack of cybercomprehension in their state.
Meanwhile, Verizon recently released another helpful report that is worth reviewing. The Verizon Data Breach Digest offers 18 cybercrime case studies that were chosen to represent the most common and destructive types of incidents they have seen over the last eight years. For each incident, the report reveals the events leading up to the breach, details of the investigation and how the organization recovered with professional help. The digest ranks each of the 18 types of attack.
It also explains who’s at risk and describes what steps you can take to better protect your organization.
The 18 data breach scenarios are clustered into four groups, each described as follows:
A. The human element — five scenarios highlighting human threats or targets. B. Conduit devices — five scenarios covering device misuse or tampering. C. Configuration exploitation — four scenarios focusing on reconfigured or misconfigured settings. D. Malicious software — four scenarios centering on sophisticated or special-purpose illicit software.
1. Point-of-sale (POS) intrusions — POS application/system related attacks. 2. Web app attacks — Web application related stolen credentials or vulnerability exploits. 3. Cyberespionage — state-affiliated, targeted attacks. 4. Crimeware — malware used to compromise systems. 5. Insider and privilege misuse — unauthorized insider-related activity. 6. Payment card skimmers — physically installed malicious card readers. 7. Miscellaneous errors — any mistake that compromises security. 8. Physical theft and loss — physical loss or theft of data/IT related assets. 9. Denial of service (DoS) attacks — non-breach-related attacks affecting business operations.
CSO Magazine wrote this story on the new Verizon Data Breach Digest. I like this quote:
"Everyone is told by their company, 'Do this, don't do that' and they may not understand why," said Chris Novak, director of the investigative response team at Verizon. "This digest explains the why." According to Novak, the digest is based on 1,175 forensic investigations that Verizon has conducted over the past three years. Two-thirds of the cases fall into just a dozen scenarios, he said. Another six scenarios are less common overall, but have a bigger impact on targeted companies. "One of the key take-aways that we're hoping folks will realize here is that there's such commonality between the cases," Novak said. "There's a perception that everyone is in this alone. By putting these stories out there, it shows the industry that they are not alone."
Wrap-Up
You may be wondering, why am I highlighting these two specific reports?
I think that both of these cybersecurity studies are well done and come from telecommunication leaders like AT&T and Verizon. Also, they dive deeper into the trends and actions that can help enterprises make progress in their information security programs.
I strongly encourage readers to take a close look at these two studies.