What cybersecurity experts won’t tell you about your risks

Last year, Marriott Hotels security breaches lost 500 million data records, Cambridge Analytica leaked users’ information from Facebook, Google+ shut down early after failing to disclose a data leak, and Coast Capital in Canada reported that 140 people lost millions from hackers.

A third of US organizations surveyed by PWC for a recent report said they had experienced cybercrime within the last two years, and an IBM estimate suggests the average cost of each of those breaches was about $3.9 million

Cybersecurity experts are in high demand (half the companies surveyed by PWC had conducted a cybercrime risk assessment). Here’s what they probably won’t tell you:

1. A lot of company security breaches start with porn. As in, employees using porn sites at work. Cybersecurity experts are likely to couch this risk in more generalized, cautionary words like “avoid suspicious websites.” (The embarrassing revelations inevitably come out in the post-mortem report.) Jason McNew, of Stronghold Cyber Security, says that incidents such as these happen far more frequently than people might believe.

1. You are a target. McNew previously worked for White House communications and Camp David for 12 years. His advice: “It does not matter if you are small, or if you have information that is of no value to anyone but you (that just makes it susceptible to ransomware). The various Internet-born threats coming out of China, Eastern Europe, Russia, are like whales patrolling the ocean vacuuming up krill. You are the krill.”
2. There’s only so much that software can do. “Spending all this money on fancy systems is good, but it’s people who are clicking on links or attachments in emails, or going to websites where they shouldn’t be going,” says Dave Oswald, of Toronto’s Forensic Restitution. In his experience, about 80% of the time, the attack can be traced to an employee’s hands, but not necessarily because they’ve been careless; rather, “the ruses are getting better all of the time.” Singling out careless employees probably won’t be much help, either. “Typically, blaming the employees only creates a culture where the employees are afraid to bring events to daylight,” notes Mika Aalto, CEO and co-founder of Hoxhunt, a firm that trains clients’ employees in how to avoid fraud.
3. Just how bad a breach really was. Want to know just how much the attack corrupted or how much data was stolen? These days, Oswald says, cybersecurity experts may very well keep mum about the extent of the infiltration—at least initially—as they don’t want to humiliate themselves by having to return to the client later to tell them the losses are worse than they initially thought.
4. There’s probably no way to be completely safe. Aalto drops the truth bombs: “A large infrastructure is almost impossible to defend,” he says. He presents a sobering fact: “How many of Fortune 500 have been hacked?” The answer is “all of them.” Mikko Hypponen, the chief research officer at F-Secure Oyj Security and Privacy Company, has said the same.