Back to work plans keep changing, only this week, Google and Facebook announced they would require employees to be vaccinated before returning to the office. Policies will continue to adjust to reflect what’s happening in the real world, however, what is clear is that companies will need to operate remotely in some capacity, and making sure that the workforce can seamlessly switch to remote working is an important part of modern-day business continuity.

In this month’s Zero Trust Digest, we look at IBM’s Cost of a Data Breach report, the recent Pegasus Spyware story, the CSA’s guidelines for cloud threat modeling, the ‘overwhelming’ challenge of hybrid work and the surprising trend of WFB.

Cost of a Data Breach

IBM released its annual ‘Cost of a Data Breach’ report, finding that data breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report. The study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year.

Some of the noteworthy trends include:

  • Remote work impact: Nearly 20% of organizations studied reported that remote work was a factor in a data breach. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in this group without this factor ($4.96 vs. $3.89 million).
  • Healthcare breach costs surged: industries that faced significant operational challenges during the pandemic also experienced a substantial increase in data breach costs year over year. Healthcare breaches cost the most by far, at $9.23 million per incident – a $2 million increase over the previous year.
  • Compromised credentials led to compromised data: Stolen user credentials were the most common root cause of breaches in the study. At the same time, customer personal data (such as name, email, password) was the most common type of information exposed in data breaches – with 44% of breaches including this type of data.
  • Modern approaches reduced costs: The adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61m) than those who had a primarily public cloud ($4.80m) or primarily private cloud approach ($4.55m).

You can read the full report here.

An Introduction to Pegasus Spyware

An investigation titled the Pegasus Project by 17 media organizations and Amnesty International’s Security Lab uncovered that surveillance software from NSO Group purportedly used by governments to target criminal and terror suspects is actively being utilized to target journalists, activists and dissidents. As a result, the security industry has dubbed this, the Pegasus Spyware, which bears a remarkably similar resemblance to the recent spyware activity surrounding FinSpy.

Here’s the full write-up on Pegasus, what you need to know and the implications for corporate security.

CSA releases guide to facilitate cloud threat modelling

Written by the CSA Top Threats Working Group, the document provides security professionals with critical guidance on how to conduct threat modeling for cloud applications.

The guide features cloud threat modeling cards (Threat, Vulnerability, Asset, and Control) and a reference model that organizations can use to create their own cloud threat model.

Threat modeling is an essential practice for software and systems security and it’s imperative that organizations develop a structured and repeatable approach for modeling threats to successfully anticipate and mitigate cyberattacks.

You can read the CSA’s press release here and download the Cloud Threat Modelling document here.

The ‘overwhelming’ challenge of hybrid working for IT professionals

66% of IT professionals say they feel overwhelmed trying to manage remote work, according to a recent survey, and consequently budgets and time are largely focused on remote work. It’s a challenge that is likely to become more complicated as businesses have to manage the duality of remote and office-based working environments, as the transition to hybrid working accelerates.

More than half (58.4%) of IT departments plan to spend more on remote management technologies as they navigate the hybrid environment with the funds going toward finding both immediate and long-term tech solutions.

Another finding from the report was the importance of employee experience for remote working with 93% agreeing that it is an important factor in IT purchase decision making. Many of us have had a bootstrapped remote working experience that is suboptimal relative to the office experience, so 2021 priorities need to be focused on bridging this disparity and making the employee experience seamless wherever an employee may be without compromising security.

What is WFB?

Wide-scale remote working has granted everyone more flexibility in how they work, we don’t have to sit at our desk from 9-5 anymore and these office-centric traditions are fading fast. A recent report by CraftJack has given some insight into how people are working from home.

45% of American teleworkers regularly work from a couch, 38% regularly work from bed (WFB) and 20% often work outside.

People have spent an average of $268 improving their at-home setups, despite this 50% still say their conditions aren’t ideal and are keen to head back to the office.