You don’t invest in a safe for your stationery and keep your cash in a cupboard. So why don’t more companies identify their most valuable assets in the workplace too and look at intensifying digital security?
The set-up costs can be off-putting but the price of a breach is far higher and the likelihood of such an attack now all but certain.
The international average cumulative cost of a data breach has reached US$3.8m, with each lost or stolen record losing a company around $150. Healthcare is one of the most affected industries, with the cost per lost record there put at $363. The retail sector has seen costs per stolen record increase from $105 to $165 in a year.
The latest findings are a result of the 2015 Cost of Data Breach Study by the Ponemon Institute, which identified three major reasons for the increase in costs:
Cyber attacks are increasing in frequency and in the cost of resolution;
The growing financial aftermath in terms of lost customers and goodwill; and
The higher cost of forensic and investigative activities.
That a breach will occur is almost inevitable. Criminals look to exploit systems to obtain customer data to sell to fraudsters and state sponsored actors look to steal valuable IP. All are stealthy, continuously active, always improving and have expensive results.
Traditional, perimeter defences such as antivirus software are still important but they can’t keep up with the hackers. Once a breach has occurred, it takes an average of 230 days for it to be detected by a company – often some don’t even notice until the actual day-to-day running of the business starts to become visibly affected. These threats are the “unknown unknowns” and it is more effective to watch the system from within to limit the damage they can do than it is to bother trying to keep them out.
Information technology is becoming ever more integrated with the operation of physical infrastructure and brings with it a corresponding increase in the risk of wide-scale or high-consequence events that could cause harm or disrupt services upon which our economies and the lives of millions depend. At its worst, such an event could be catastrophic.
But the unknown unknowns can be managed. Cyber-threats can hide in networks for days, weeks, months, years. Malware and Zero Day exploits, for example, hide in data and time. Big data over a long time. And it’s not something most CIOs or IT people have any experience in assessing. Ideally, the problem should be addressed at board level and the management of it given priority equal to any other business-critical activity. Cybercrime is unstoppable but it is not unmanageable.
Managing cyber-risk requires directors to extend their due diligence enquiry well beyond its traditional scope to include deep information security analytics and analysis, which will call for specialist big data tools and data science capability to discover the threats. This is not a skill or capability traditional IT staff have.
The reality is that the cyber-threat should be treated as just another business risk, albeit one that can “happen at a pace, scale and reach that is unprecedented”. The people responsible for protecting a company’s digital assets must know what their high-value digital assets are, where they are and who is accountable for them. They also need a clear understanding of the specific threats they face. Simply instigating cyber-security procedures isn’t enough, the system should be kept under review because the threats will evolve over time.
US health insurer CareFirst detected a breach of its information security in April 2014. The company says it believed it had dealt with the attack at the time and that no customer information had been compromised. However, in April this year, CareFirst employed a cybersecurity consultancy to check its cyber-fitness after breaches at other, related healthcare companies, only to find that confidential client data had indeed been accessed in the attack the year before. Stolen data included usernames, real names, dates of birth, email addresses and subscriber numbers. As a precaution, CareFirst offered all 1.1m affected customers two years of free credit monitoring and identity theft protection.
Fortunately, CareFirst stores passwords associated with the usernames in another, separate, encrypted database that was not accessed. That was crucial – the company had identified those of its digital assets with pivotal value and secured them.
As additional protection, the company required all affected customers to create new usernames, said it had reported the attack to the FBI and would continue to work with the authorities and beef up its IT security controls.
CareFirst is an example of a company that had identified its most valuable digital assets and taken steps to safeguard them. It had focused on protecting the passwords as the means to disrupting a vital link in the hackers’ information chain. Similarly, a bank, for example, would want to look at concentrating its information security investment on payment engine servers, the disruption of which can cost millions in one day. Identify what is most important and give those assets the best protection you can.