The only place where an investment to prevent cyber-attacks is unnecessary is in the land of make-believe
Recently revealed research results by Kaspersky Lab would certainly indicate that prevention is not an option but should rather be a strategic business objective when it comes to cyber breaches. Kaspersky notes that large business losses from cyberattacks are estimated to be $861,000 per security incident. The report named: Measuring the Financial Impact of IT Security on Businesses* notes that small and medium businesses (SMBs) are paying $86,500 per incident. Significantly the cost of recovery is estimated to be directly related to time of discovery. Small to medium business were found to pay 44% more to recover from an attack discovered a week or more after the initial breach, compared to attacks spotted within a day. Enterprises corporations are estimated pay a 27% premium in the same circumstances.
Cybercrime is reported as the fastest growing industry worldwide and South African businesses lose around R2.2bn Rand annually to cyber-attacks.
It seems incredible that in an age where cyber threats evolve as quickly as technology develops, thousands of businesses in this country rarely, if at all, re-evaluate their vulnerability to this growing global issue.
The Ostrich Approach
It is stunning that despite research revealing the staggering losses suffered by businesses so many companies continue to stick their head in the ground in the hope that if they can’t see it coming, it can’t happen to them.
The truth of the matter is that they can actually make sure they see it coming and prevent it or detect it immediately and thereby significantly reduce the financial impact.
I have recently held detailed discussions with many business professionals on their vulnerability to cyber-attack and how it needs to be approached. The reactions were varied but mostly fell into the category of “not something that is budgeted for”, or, “executive management turned down the request for budget.” However, the same management will be forced to find budget to cover the losses when they fall victim to this growing trend. Unfortunately, the one certainty they will face is that if they don’t allocate budget to deploy protection measures they will unquestionably suffer a hit at some time in the future. Yet, it is incredible that many companies take this approach and then when it happens use the exact science of hindsight to try and rectify matters.
It is becoming glaringly clear that there are simply too many board level executives who do not take their Chief Information Officer (CIO) or Chief Information Security Officer (CISO) seriously. Some ‘C’ level execs need to be renamed the Chief Executives of Fantasy Land if they believe they can afford not to budget for protection against this very real danger – which can come from outside but very often also from within the organisation.
It is time for board level execs to be involved in the businesses’ cyber security decisions and preferably before it is too late. Cyber breaches are happening all around us, every single day. If not with you – then it is happening to your supplier or customers’ all of whom store sensitive data about your operations. The breaches are happening faster than you and your overworked IT team can react. Yet, a dogged determination to keep implementing the decades old security measures continues to prevail.
There is no point in reacting after data has been lost or after a thousand servers have been encrypted. It will not help once personal data and payroll information is made publicly available online or with a direct marketing company.
Businesses need to ensure that they are more proactive and only then can they work on prevention and containment rather than damage control.
Why to start?
I am often asked this question. My answer is simple: “Stop talking and get moving; don’t end up on a merry-go-round of discussions around what needs to be done, start immediately on looking at where the problems/vulnerabilities are.”
Information security, governance and compliance is never going to work if it is simply done as a “box-drop” or once off effort, selection of a security partner is vital. As threats evolve – this relationship also needs to grow.
Begin with visibility. You can’t manage what you can’t see. Without visibility of what is happening both on the network and off it, companies are reduced to guessing games and assumption instead of fact and action.
Manage the gaps
Once identified, gaps must be managed and monitored. It’s rather like having a great alarm system with beams and electric fence but without connecting it to response unit. The alarm may trigger and make a great noise – but if nobody is there to respond there is no value.
This has been the driving force behind the recent launch of the J2 Cyber Security Centre. It is not important what point solutions companies already have, it is important to make sure they are all working correctly and if not, there is pro-active response. This all stems from real visibility.
How can the Chief Executives of Fantasy Land tell shareholders they care about data governance and compliance when they are incapable of detailing how much sensitive personal information or company IP, was copied to a cloud sharing service such as Dropbox, or how many files were renamed and copied to an external USB drive yesterday or this morning?
To be frank, they cannot claim to care about these things without visibility and to acquire that requires intelligent business security planning.
This article appeared in ITWeb - Click here to view