AT&T released it’s first public cybersecurity incident analysis report last week. As a network security services provider, they get to see the attacks in real time. One service that AT&T offers is to mitigate security threats in the network before they ever reach you. They also offer cyber security consulting services. AT&T’s competitor Verizon also produces a similar report every year. Obviously, these pieces are marketing tools to sell cybersecurity services, but that does not make the data any less useful.
A few highlights from AT&T’s report released last week:
- Security incidents are up 48% over 2013 (117,000 attacks a day)
- DDoS attacks are up 62% over the last two years
- 75% of businesses do not involve their full boards in cyber risk oversight
The report suggests 5 questions for every CEO. While these questions are not necessarily perfect, they certainly are good questions:
- Is your board of directors fully engaged in cybersecurity?
- When did you and your board review your last risk assessment?
- What makes you a target for attacks?
- What data is leaving your company and is it secure?
- Have I provided my security organization all the tools and resources they need to help prevent a security breach?
My additions or changes to these questions are:
For question 2, WHEN was the last risk assessment conducted? If the answer is more than 12 months ago, it is time to conduct a new one.
For question 4, SHOULD that data be leaving the company at all and HOW do you know what data is leaving the company?
The AT&T report also says that about half of the large companies (their target market) are re-evaluating their information security standards in light of the recent high visibility breaches. That means that more than half are not. I suspect that smaller companies are even less likely to be re-evaluating their standards because they are more worried about top line sales numbers. Unfortunately, that is probably the wrong choice. Large companies (think Anthem or Target) have the resources to deal with the aftermath of these attacks and continue to do business. This is much less likely for mid-size and smaller companies.
The report has many other useful recommendations and questions. I would recommend that the chief security person in every organization read it.
The report is available on AT&T’s web site here.