Cyberattacks are now a bigger threat to the United States than the risk of a physical attack, said U.S. Department of Homeland Security (DHS) Secretary Kirstjen Nielsen at the National Cybersecurity Summit earlier this year.
"This is a major sea change for my department and for our country's security," Nielsen explained, adding that Americans' digital lives are now under assault every single day.
"Terrorists and criminals still pose a serious threat to our lives…and they are plotting against Americans daily; however, the 'attack surface' in cyberspace is now broader and under more frequent assault."
This shift in the threat landscape has had major ramifications for the United States and other nations around the globe as they grapple with protecting their critical infrastructure, electoral systems, and corporate networks from cyberattacks.
"The cyber-threat landscape is different today because cyberspace is not only a target—cyber can also be used as a weapon, an attack vector, or a means for which nefarious activity can be conducted," Nielsen said.
To counter this threat, the United States is using a variety of approaches—including creating a voluntary supply- chain risk management program and working with companies to track down unseen security weaknesses to limit the attack surface.
By doing this, DHS is looking at cyber risk from a holistic viewpoint—from the national government to the private section on down.
And private companies may also be taking a similar approach to address cyber risk to their organizations. In a recently released SANS Institute whitepaper, John Pescatore—director of emerging technologies for SANS—wrote that many businesses will manage to avoid a significant data breach this year.
Through his research, Pescatore found that there were 668 publicly disclosed breaches in the United States in the first 203 days of 2018—meaning that more than 1,200 breaches will likely occur this year.
"There are more than 18,000 companies with more than 500 employees in the U.S., meaning about 17,000 of them will have avoided a breach requiring disclosure in 2018," Pescatore wrote.
"Some companies will simply be lucky enough not to be attacked or may suffer only minor incidents," he explained. "Many more will avoid or limit business damage by implementing security processes and controls to proactively identify and remove or mitigate vulnerabilities."
For instance, many companies that are avoiding breaches are doing so by conducting cybersecurity risk assessments and implementing frameworks to address them.
"The key is for security teams to understand business impact, be able to express risk in those terms, and be able to demonstrate how improvements in security result in measurable reduction in business impact," Pescatore explained.
"By developing situational awareness (timely and accurate knowledge of what we need to protect, what vulnerabilities exist, and what real threats are active against those targets), and combing it with tools and techniques for prioritizing prevention and mitigation actions, security teams can quickly take actions to avoid the most damaging incidents and to exponentially reduce the business damage of unavoidable incidents."