02 Feb Why do we still witness data leaks?
With data leaks still a pressing concern, Sergey Ozhegov, CEO SearchInform, asks what is the problem of modern data security — technology, approach, or people?
The issue of data security — both personal and corporate data security — has recently scaled up unprecedentedly. Data breaches are steadily increasing, and alongside that, so too is the cost of a data loss. According to the global Cost of a Data Breach Report 2023 by IBM, the average cost of a data breach reached an all-time high in 2023 of US$4.45 million.
The second highest average cost of a data breach was for Middle Eastern companies (primarily, Saudi Arabian and UAE companies). Meanwhile, according to the 2022 Cost of Insider Threats global report by Ponemon Institute, the average annualised cost for insider incidents accounted for US$15,378,635 in 2022.
In addition to data breaches, there are many other problems: data fraud, unauthorised access, work for competitors, and so on. So why is it that all of this is so rampant in the world if the biggest companies and the most talented cyber defenders are constantly working to protect information? Where is the problem: in the approach, the people or technology? As it happens, it is in all of them.
Inside job
The first cause of growing data leaks is the imbalance between external and internal threat protection. Companies protect themselves first and foremost against external threats: hackers and DDoS attacks, ransomware, phishing attacks, etc.
Meanwhile, according to Varonis research, over 90% of data leaks are the result of internal violations, in particular, actions of employees. I should also highlight another study which found that over 72% of UAE organisations have suffered data loss due to internal actions (As cyberattacks get intense, UAE businesses need to think about insurance coverage. Babur, 2023). Employees have authorised access to the most critical information, know the IT infrastructure, and understand the security rules and how to break them. That’s why the situation inside needs even closer monitoring than external threats. If we remove this long-standing imbalance in the protection priorities, the situation will start to change for the better.
Shortage of staff
The second cause is people, or rather the lack of them. Shortages of infosec experts and their workload differ from country to country, but this tendency can be observed everywhere.
According to a SearchInform study, in 2023 one third of business representatives admitted to a “severe lack of infosec experts”. According to a recent Human Resources Director survey, 83% of IT security professionals said they or someone in their department has committed errors due to burnout that have led to a security breach.
In the UAE, companies are paying a lot of attention to protection issues and strengthening the team’s security and awareness. This led to 98% of the companies recently surveyed by Veritas saying that they are confident in their ability to maintain security within their organisations. However, in the same survey, almost all UAE respondents (98%) reported that risks had resulted in damage to their organisation’s reputation or finances in the last two years.
At the same time, according to a Trellix study, there is still a shortage of information security experts in the region. The Mind of the CISO report highlights that a substantial percentage of CISOs in the UAE believe their organisations lack the necessary human resources and processes to effectively withstand cyber threats.
66% of CISOs feel their organisations are not equipped to be truly cyber resilient, and a staggering 74% consider their current technology infrastructure inadequate (Cybersecurity Talent Shortage A Major Concern For CISOs In UAE And KSA (Hadzagic, 2023)). As threats of data leaks continue to grow and evolve it’s vital teams are bolstered to help stop them in their tracks early.
The trouble with tech
The third cause is technology. Cybercriminals and unscrupulous employees are using new technology for their own purposes, be it artificial intelligence, deepfake or new phishing and social engineering techniques. Here, cyber defenders are always in the role of someone who has to catch up.
New technology has appeared, cybercriminals have immediately added it to their armoury, and vendors must gain time to develop a means of protection. No matter how hard vendors try, there is an inevitable time lag that cybercriminals take advantage of.
And there’s more…
There is another cause of the increase in data breaches and data access violations. This is the lack of security solutions in small and medium-sized enterprises. According to the statistics, there are about 500,000 SMEs in the UAE, and this number will double by 2030. The vast majority of these enterprises do not implement security solutions and do not protect the personal data of employees and customers.
The reason is simple: it is not economically viable for a business of this size. Purchasing software and hardware and hiring a security expert is a task near to impossible for a small business. A competent data security analyst is unlikely to take a job in a small company since it is a step back from the point of view of professional development and prospects.
This problem can be solved in two ways: either by subsidising data security costs for SMEs from the government or by outsourcing data security functions. A managed security service (MSS) provider saves the resources of a small company. The service is cheaper than an in-house infosec department. The service is uninterrupted, and the business owner does not have to worry about holidays, sick leaves or dismissal of a security analyst.
The service package includes the software, its installation and configuration, and an expert who will work with the software and provide reports to the customer. Managed security service is gaining momentum all over the world, it is a trend that we are noticing in many regions, particularly for small companies.
Battle for protection
Data security issues will remain, this is the eternal battle between the criminal and the lawkeeper. However, the situation can be improved by eliminating the significant imbalance between external and internal protection by paying due attention to internal threats.
The situation is gradually improving, and companies are installing protective solutions – primarily large businesses that see other corporate security risks besides breaches, for example, various internal machinations of employees, corporate espionage, and violations of access to restricted data. While the situation with SMEs is more complicated, it remains solvable.