By Guy Higgins
Verizon recently published their 2015 Data Breach Investigations Report (DBIR). The report analyzed just under 80,000 cyber-security incidents that resulted in 2,122 actual data breaches as reported by 70 different law-enforcement and cyber-security agencies. At first blush, it might seem that there were relatively few data breaches, but the rough odds of experiencing an actual data breach are one in forty – not very good odds when the cost of a data breach is high in both dollars and reputation.
There are two important points to be made regarding data breaches:
- The majority of organizations can reduce their vulnerability significantly through relatively simple and low-cost actions.
- No cyber-security system is completely invulnerable to being breached, and a cyber breach is a serious business problem – not an IT problem.
Cyber-security – reducing your vulnerability
- The Verizon DBIR found that “most attacks exploited known vulnerabilities,” of commercial software. Some of these vulnerabilities were identified as long ago as 2007, and patches correcting the vulnerabilities were quickly made available to users. Software providers take seriously the correction of all security vulnerabilities of which they know or are made aware. Patches and new software versions are provided as quickly as practicable. However, users don’t always install these patches/updates immediately (and sometimes not all), which leaves those companies and organizations vulnerable. Security patches must be installed as quickly as possible. The attackers won’t wait.
- Verizon also found that one of the most consistent factors in defective security was the “people” factor. As an example, about one in four people will open a “phishing” email and about half of those will open the email attachment. That introduces malware directly into the organization’s system. The solution is genuine commitment to cyber security by organizational leadership and regular training (and refresher training) on cyber security. This training needs to include why cyber security is important and what the potential impacts are if security procedures are ignored.
Cyber-breaches – understanding the risk and reducing the impact
- While organizations are becoming more adept at discovering cyber breaches, there remain a significant number of breaches that are undetected for months and even years. A cyber attacker can extract data in less than two minutes, and the longer a breach remains undetected, the more (and more valuable) data can be extracted.
- Security is an IT problem. A breach of that security becomes a business problem. There are costs for a cyber breach, from both financial and brand/reputation perspectives. The Verizon report provides some estimates for the financial costs as captured by cyber-breach insurance reports. These costs (as quantified by paid claims) vary from as little as $0.09 per record (for very large data breaches) to as much as $254 per record (for very small data breaches). The report does not capture company costs beyond insurance coverage. The report also does not address the uncovered costs or the intangible costs of the impact to reputation/brand.
- Organizations must can reduce the impact of a breach by developing and implementing a cyber-breach response plan – what will the company do when a cyber breach is discovered? How do they best manage the consequences of the breach? Who must, by law or regulation, be notified? In what order? What compensation is mandated or recommended? What communication with stakeholders is appropriate? These are only a tiny subset of the considerations that need to be included in a cyber-breach response plan.
- As always, organizations need to predict their vulnerabilities (e.g. do they have customer information or intellectual property at risk), develop plans and exercise those plans to be able to execute quickly and effectively when necessary.
Cyber crime is alive and well – and a growth industry. Leaders need to establish a solid policy for both cyber security and cyber-breach response, and they must be seen to be committed to that policy and leading in its implementation.