Business Size and Network Security Threat are Inversely Proportional

When it comes to cyberattacks and the resultant data breaches, not all organizations are affected to the same extent. Larger organizations store greater quantities of data and a security breach may end up costing the company over $100 million to resolve, but such breaches are not suffered very often. In fact, when you compare the cost of breach resolution to the annual turnover of a company, the cost is actually very small indeed.

Even the huge data breaches that have affected Sony and Target have not cost the companies very much in the grand scheme of things. Compared to the annual turnover of both companies, the costs incurred are very low. As low as 1% of total turnover. The security breaches will be embarrassing, but the actual losses can be easily absorbed.

Benjamin Dean from Columbia University’s School of International and Public Affairs recently pointed out in a post that the cost to large companies may not be insignificant, but it is nowhere near as high as many people would believe.

Consequently, there is little pressure on many large organizations to invest more heavily in cybersecurity defenses. This may not be true for heavily regulated industries such as finance and healthcare, where heavy fines can be issued for non-compliance with data security regulations, but for some companies the costs can be easily absorbed.

Many of these companies are covered by insurance policies that pay for the majority of the cost and the resolution costs are tax-deductible.

He points out that while there will be fallout as a result of a data breach, this may not be nearly as high as many companies are led to believe. Many Sony employees had their data exposed in the cyberattack but how many will leave their employment as a result? Sure, they will be unhappy, but will they leave in droves? Probably not.

Customers may incur losses, but Sony will not have to cover the cost. How about cases of identity theft? Can a customer determine with any degree of certainty that they have become a victim because of the data breach at Target or Anthem, or any number of other companies that have suffered cyberattacks?

In many cases, losses are not suffered by the company but by the banks. The data breaches that have affected Target and Home Depot are estimated to have cost the providers of credit and debit cards, not the retailers. The cost of replacing the stolen cards has been estimated to have cost credit unions around $60 million in September. Those costs were covered by the credit unions, not the retailers.

The same cannot be said for small to medium sized businesses

The larger the corporation, the easier it is for losses to be absorbed, but when it comes to small to medium sized businesses the losses from a data breach can be catastrophic. Will movie-goers avoid a Sony Entertainment film because of the data breach? Unlikely. Will customers change to a rival printing company because their preferred provider has breached their financial data? Much more likely.

For SMBs it is essential to invest in robust data security systems. The loss of customers will really be felt, and many SMBs do not have the budgets to cover data breach insurance premiums. The resolution costs, in many cases, simply cannot be absorbed.

Data breaches do not affect all departments equally

If you work in IT security, you will be very keen to get a budget increase to protect your company’s systems. If a breach is suffered, your department will have to perform a great deal of extra work. You are likely to be blamed for allowing the breach to happen. You may even be criticized for failing to explain the risks adequately.

It is therefore in your best interests to implement the best possible security controls to protect the business, but often getting the funding is problematic. Cybercriminals are developing ever more sophisticated methods of breaking through defenses and consequently the defenses that must be installed must also be sophisticated. That usually means they cost a lot of money. Getting a sufficient budget to cover the cost can therefore be a difficult task.

To make it easier, you will need to know how managers assess budget requests.

Risk Analysis – How managers decide on budgets

Before a potentially expensive cybersecurity measure is given the go-ahead, a cost analysis will be performed. Managers will assess threats separately and will calculate the Annualized Rate of Occurrence (ARO) – the probability that security will be breached in any given year. Then they will calculate the costs from such a breach: The Single Loss Expectancy or SLO. Multiply both of those figures and they will arrive at the Annual Loss Expectancy (ALO). Based on that figure, a decision will be made about the best way to deal with the threat and whether it is worthwhile doing so.

There are a number of measures that can be put in place to address the risk. These will also be assessed:

Risk Mitigation

The biggest costs fall into this category. These include installing robust firewalls, anti-virus and anti-malware solutions, spam and web filters, and employee training.

Risk Transference

It may be possible to reduce the cost of dealing with a breach, and this may prove to be more cost effective than installing security measure to reduce risk. An insurance policy may be purchased so the company doesn’t have to cover the full cost of a security breach.

Risk Avoidance

It may be possible to reduce risk by preventing certain activities from taking place. For instance, banning the use of social media websites at work to combat the threat from malware. Sometimes risk cannot be avoided. Maintaining an online presence is essential, so a company cannot remove the risk of a data breach by not operating a corporate website.

Risk Deterrents

These measures can be cheap and effective. Legal disclaimers and internal policies can be developed to tackle insider theft. They may warn of prosecution for anyone found to be inappropriately accessing corporate data. This may be sufficient to put some individuals off snooping.

Risk Acceptance

Some risks cannot be avoided and must be accepted. However, a company must be aware of the risk in order to make a decision about whether it can be accepted, as well as the cost of mitigating that risk and the potential for damage.

It is essential that security professionals are consulted before these calculations are made. Their input will be required to gain an accurate estimate of the probable costs and level of risk faced.

If you, as an IT security professional, can provide accurate figures that can be used in the cost/benefit analysis, your company will be able to determine which security measures are essential and will allocate budgets accordingly.

Make sure you are an asset to your company and create your own risk analysis. As an IT security professional, you are in the best position to do this. If budgets are subsequently not forthcoming, it will not be your department that is blamed when security breaches are suffered.

Securing Data: What Data are Sensitive and Must be Better Protected?

Hackers and malicious insiders are trying to break through security defenses to get their hands on sensitive data, but what data are they actually looking for? Which data needs to be better protected?

There are federal laws that require physical, technical and administrative controls to be put in place to keep data secure. Fail to protect certain data types and there could be serious trouble, regardless of whether a hacker actually manages to compromise your network.

Some data types are obvious, others less so. Credit card numbers, bank account information, Social Security numbers and healthcare data all require robust security measures to keep the information secure. Have you made sure that each of the following 9 data types have appropriate controls in place to prevent unauthorized individuals from gaining access.

Financial Data

The goal of many hackers and cyber criminals is to gain access to bank account information, and the logins and passwords used to access online accounts. Once they have this information they can use it to make transfers and empty accounts. Credit/debit card numbers are also sought in order to make online purchases and create fake cards. PIN numbers, if stored, along with answers to security questions must similarly be protected with robust controls.

Medical Data

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to put physical, technical and administrative controls in place to keep medical data secure. In the wrong hands, medical data can be used to discriminate and defame. It is also used in spear phishing campaigns, and used with other data to commit fraud. Failure to secure these data is a violation of HIPAA Rules, and financial penalties are sure to follow. Criminal charges can even be filed against individuals for failing to secure highly sensitive data.

Driver’s License Numbers

A valid driver’s license number can be used to create fake driving licenses. These are not only useful for people who are not legally allowed to drive, they can be used to obtain other forms of identification and commit identity theft and fraud.

Student Data

Student data is increasingly being sought by criminals in order to commit fraud and identity theft. Universities and schools are required to protect data under the Federal Educational Rights and Privacy Act (FERPA), which restricts the individuals who are allowed to access student records. Personal data, education information and test results must all be protected. Student Social Security numbers and dates of birth are highly sought after and often targeted by hackers.

Social Security Numbers

Social Security numbers (together with a limited amount of personal information) can be used to commit medical fraud, file false tax returns and steal identities. They are highly sought after by cyber criminals and often sold on darknet websites for big money. The SSNs of minors are particularly valuable, as they can be used for longer before fraud is identified. Social Security numbers are also covered by HIPAA rules and numerous other state and federal laws.

Health Insurance ID numbers

With health insurance information criminals are able to file claims for medical services that are not provided, and allow criminals to make fraudulent insurance claims. This data are highly sensitive and must be kept secure.

Intellectual Property Data

Your company’s secrets, product development information, computer codes, bespoke software, new product designs and blueprints are highly valuable to competitors. If your company has an edge, or is developing a new product or service, a competitor could use these data to develop similar products, and even bring a product to market first.

Human Resources Data

Human resources databases contain detailed information on employees such as salary information, bonuses, and confidential personal data. Criminals seek personal information of individuals in order to conduct convincing spear phishing campaigns. These data can also be used to blackmail individuals and discriminate.

Communications Data

Emails can contain highly sensitive information. When hackers gain access to an email account, they can obtain personal information, company secrets, and even many of the above data types. If an email account is compromised, it can be used to spread viruses and malware. Telephone records and text messages are also valuable.

Data must be secured at rest and in motion

Controls must be put in place to secure all forms of these data, whether they are in Word documents, PDFs, JPEGS, spreadsheets, EHRs or other databases. Just as paper files must be shredded when they are no longer required, the same applies to electronic data. Records must be securely and permanently erased when no longer required. It must not be possible to reconstruct any of these data once deleted.

It is essential to protect stored data, especially if it is housed on portable devices such as zip drives, laptop computers, portable hard drives and Smartphones. These devices are all too easily misplaced, lost or stolen. Data encryption should be considered to protect all stored sensitive data. Data must similarly be protected when in transit. Emails should be encrypted, as should SMS messages. A number of companies provide SMS and email encryption services to allow communications to be sent securely, with authentication controls to ensure only the desired recipient can view the messages.