No cyber breaches in fantasy land
The only place where an investment to prevent cyber attacks is unnecessary is in the land of make-believe.
Recently revealed research results by Kaspersky Lab would certainly indicate that prevention is not an option, but rather a strategic business objective when it comes to cyber breaches.
Kaspersky notes large business losses from cyber attacks are estimated to be $861 000 per security incident. The report: "Measuring the Financial Impact of IT Security on Businesses" notes small and medium businesses are paying $86 500 per incident.
Significantly, the cost of recovery is estimated to be directly related to time of discovery. SMEs were found to pay 44% more to recover from an attack discovered a week or more after the initial breach, compared to attacks spotted within a day. Enterprise corporations are estimated pay a 27% premium in the same circumstances.
Cyber crime is reported as the fastest growing industry worldwide, and South African businesses lose around R2.2 billion annually to cyber attacks.
It seems incredible that in an age where cyber threats evolve as quickly as technology develops, thousands of businesses in this country rarely, if at all, re-evaluate their vulnerability to this growing global issue.
It is stunning that, despite research revealing the staggering losses suffered by businesses, so many companies continue to stick their head in the ground in the hope that if they can't see it coming, it can't happen to them.
The truth of the matter is they can actually make sure they see it coming and prevent it or detect it immediately, thereby significantly reducing the financial impact.
I have recently held detailed discussions with many business professionals on their vulnerability to cyber attack and how it needs to be approached. The reactions were varied, but mostly fell into the category of "not something that is budgeted for", or "executive management turned down the request for budget". However, the same management will be forced to find budget to cover the losses when the company falls victim to this growing trend.
It is incredible that many companies take this ostrich approach.
Unfortunately, the one certainty companies will face if they don't allocate budget to deploy protection measures, is that they will unquestionably suffer a hit at some time in the future. Yet, it is incredible that many companies take this ostrich approach and then, when it happens, use the exact science of hindsight to try and rectify matters.
It is becoming glaringly clear there are simply too many board level executives who do not take their chief information officer (CIO) or chief information security officer (CISO) seriously. Some C-level execs need to be renamed the chief executives of fantasy land if they believe they can afford not to budget for protection against this very real danger - which can come from outside, but very often also from within the company.
It is time for board level execs to be involved in the company's cyber security decisions, and preferably before it is too late. Cyber breaches are happening everywhere, every single day. If not with the company in question, then it is happening to the company's suppliers or customers, all of whom store sensitive data about the company's operations. The breaches are happening faster than companies and their overworked IT team can react. Yet, a dogged determination to keep implementing the decades old security measures continues to prevail.
There is no point in reacting after data has been lost or after a thousand servers have been encrypted. It will not help once personal data and payroll information is made publicly available online or with a direct marketing company.
Businesses need to ensure they are more proactive, and only then can they work on prevention and containment rather than damage control.
Where to start?
I am often asked this question. My answer is simple: "Stop talking and get moving; don't end up on a merry-go-round of discussions around what needs to be done. Start immediately on looking at where the problems/vulnerabilities are."
Information security, governance and compliance are never going to work if they are done as a "box-drop" or once-off effort - and the selection of a security partner is vital. As threats evolve, this relationship also needs to grow.
Begin with visibility. A company can't manage what it can't see. Without visibility of what is happening both on the network and off it, companies are reduced to guessing games and assumption instead of fact and action.
Manage the gaps
Once identified, gaps must be managed and monitored. It's rather like having a great alarm system with beams and an electric fence, but without connecting it to a response unit. The alarm may trigger and make a great noise, but if nobody is there to respond, there is no value.
It is not important what point solutions companies already have; it is important to make sure they are all working correctly, and if not, there is a proactive response. This all stems from real visibility.
How can the chief executives of fantasy land tell shareholders they care about data governance and compliance when they are incapable of detailing how much sensitive personal information or company IP was copied to a cloud-sharing service such as Dropbox, or how many files were renamed and copied to an external USB drive yesterday, or this morning?
To be frank, they cannot claim to care about these things without visibility, and to acquire that requires intelligent business security planning.