High-tech companies are leading digital innovations today, yet they are also attractive targets for cyber criminals. Companies in the semiconductor design, software engineering, and advanced tech development market deal with large quantities of very sensitive data. Therefore, they are very appealing to cyber criminals looking to steal valued information.

This trend is demonstrated by an incident at Synopsys, where a recent data breach shows the reality that even very sophisticated technology companies are vulnerable when it comes to the risks of a cyber-attack. Companies within the software and cybersecurity sector were once presumed to have near-impenetrable security; however, the reality is not as straightforward.

Technology companies are part of an extremely interconnected framework. They work with clients, vendors, contractors, and global partners, often sharing large quantities of very sensitive personal and operational information through many different collaborative and networked platforms. While this has generally improved efficiency for all of the organizations involved, it also increases the size of the attack surface. As a result, having just one single vulnerability in either internal systems or third-party systems can expose critical information.

In sectors such as electronic design automation (EDA), businesses not only handle their own intellectual property but typically keep records of employees, clients and potentially even health-related data; therefore, should a breach occur, both damaged assets owned by businesses and personally identifiable information (PII) belonging to individuals could be compromised. Thus, breaches of both kind can generate profound consequences beyond the many millions of dollars lost as a result of a data-breach and loss of revenue, but will also erode trust, violate compliance requirements and irreparably damage the reputation of an organization on a long-term basis.

Additionally, the complexity of cyber-based threats is continuing to increase. Bad actors have moved away from simply relying upon basic phishing or malware-based attacks. Today’s sophisticated attackers utilize advanced persistent threats (APTs), social engineering techniques, and specifically-targeted intrusion methods designed for high-value organizations; therefore, giving them the ability to infiltrate a company’s systems and remain undetected for much longer periods, increasing the total potential damage.

The recent Synopsys data breach appears to epitomize a larger trend that suggests that most large organizations do not discover their cybersecurity vulnerabilities until some time has passed after a data breach incident has occurred. While many companies have invested heavily in security-related technologies and infrastructure, they continue to have vulnerabilities as a result of human error, legacy systems and/or improperly-configured security settings; thus, the requirement for continual monitoring for unknown threats, frequent audits and proactive approaches to threat identification and detection is becoming increasingly important as a means of preventing data breaches from occurring.

Technology companies' breaches can raise alarm bells for individuals because of what was taken; identity, fraud and long-term use of personally identifiable information (PII) can result from exposing such sensitive data, as PII includes people's social security number(s), finances and/or medical records. Since PII is different from passwords in that they cannot be simply changed/reset, the need to protect PII from being compromised becomes even more imperative.

Organizations should create a multi-layered security framework to protect their data and networks; organizations should utilize a zero trust model, train employees, implement stringent access control procedures, implement vigorous vendor risk assessments, etc. Cybersecurity is no longer just an IT issue but a business-critical component that should be examined/implemented throughout all parts of an organization.

As technology evolves, so too will the associated risks; cases like the Synopsys case illustrate the need for simultaneous consideration of innovation and security. Without a strong cyber- foundational system, no matter how advanced (technologically) a company may be, it may expose itself to vulnerabilities in the digital ecosystem.