Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
The guiding principle for many businesses and organizations when it comes to effective cybersecurity often seems to be some combination of "put head in sand" and "hope for the best." How else to explain the never-ending steady trickle of successful attacks? Hacking has become so commonplace in 2019, that many breaches aren't even considered "headline news" anymore.
DoorDash, a delivery service that picks up food at restaurants and whisks it to diners' doorsteps, coughed up personal data connected to 4.9 million users in a hack announced just hours ago. Will it be forgotten just hours from now? Maybe not if you're a DoorDash patron. Then again, how many people deleted their e-mail accounts and abandoned Yahoo! in 2016?
Hackers, of course, are constantly working to crack security measures deployed against them. And the problem is compounded by pressure on businesses and organizations to be internet accessible and increasingly permit clients and customers to carry out all levels of transactions online. Is it more important to complete cybersecurity due diligence, or to get your product to the internet?
In the aftermath of a breach, the affected party often attempts to play down the seriousness of what has occurred. DoorDash, for example, assured customers that "full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card."
Except that partial data from hacks is often sold to different criminals who can use it for other purposes, or sometimes even match it against other data to get a little closer to some form of actionable information. The overall situation is perhaps not going from bad to worse as fast as the occasional hue and cry would lead one to believe, but it's also not getting better.
We rely on government regulation to protect consumers in many other regards. Maybe it's time for government regulators to set uniform standards for cybersecurity, or at least create incentives for businesses and organizations to more actively protect their clients. As part of our recent Security Certification Survey, we as certified cybersecurity professionals what they think.
Here's how certified information security professionals responded when asked to rate the level of their agreement with the following statements:
Statement 1: Government should aggressively promote stronger security controls for businesses and private organizations.
Strongly Agree: 30.9 percent
Agree: 43.8 percent
Neither Agree nor Disagree: 17.3 percent
Disagree: 5.5 percent
Strongly Disagree: 2.6 percent
Statement 2: Government should mandate stronger security controls for businesses and private organizations.
Strongly Agree: 18.8 percent
Agree: 34.6 percent
Neither Agree nor Disagree: 27.9 percent
Disagree: 14 percent
Strongly Disagree: 4.8 percent
There's a strong indication that a) the problem is real, and b) some level of government intervention could potentially be effective in making things better. Almost 75 percent of those surveyed either agree (43.8 percent) or strongly agree (30.9 percent) that government should strongly advocate for more effective security controls.
And while other questions from the survey have already demonstrated that there's a reluctance to embrace direct government intervention, more than half of survey respondent are on board with the idea of regulation to improve cybersecurity. A considerable 53 percent either agree (34.6 percent) or strongly agree (18.8 percent) that cybersecurity mandates are needed.