Ian Thornton-Trump, the Chief Information Security Officer at Cyjax Ltd, discusses the necessity of widespread cyber-security investment.
From 2015 onwards, the scourge of ransomware attacks on small, medium, and large enterprises grew at a phenomenal rate and moved from cottage industry to sophisticated operations run from globally connected criminal havens. Since 2012, those of us working in cyber threat intelligence and the cyber-security industry predicted the cybercriminal growth trend, but even the most audacious estimates of growth fell woefully short of the reality.
It is estimated that the cost of ransomware to businesses will top $20bn in 2021 and that global damages related to cybercrime will reach $6 trillion. The estimate includes the cost to restore and mitigate following a ransomware attack and is not limited to actual ransom payments. 1
No board members, executives, managers or even members of staff should be unaware of the relentless cyber-attacks and cyber-security challenges: they are in the news almost daily in one form or another. It could have been a customer of yours, a supply chain partner of yours or even your organisation itself which has fallen victim. Anyone that has endured a ransomware cyber-attack knows all too well the inconvenience and the difficulty of recovery back to normal operations. It is not like anyone can ignore the warning that “your files have been encrypted”.
Although the mainstream media covers the big stories, there is one key point which is often missed in the breathless reporting of the internal state of an organisation as it battles to regain control from a cybercriminal attack. The key takeaway is ransomware is a failure of the organisation’s cyber-security measures – regardless of the “sophisticated” or even “predictable” nature of the attack.
The frustration of watching a cyber-attack unfold inside an organisation comes from the realisation that there are several perfect moments during and before the attack where the damage could have been prevented or the attack avoided all together. Although technical security controls play a role in a data breach, the key question to ask after the dust settles is: “What could we have done before the attack happened?” The answer is equally straightforward: make the business case for proactive investment in cyber-security.
Kaspersky has startling data from a 2020 survey that really underscores the importance of proactive cyber-security investment. Here are a few of the highlights from their data:
Financial losses – 32% lower in enterprises that could detect a breach almost instantly, compared to those that did so in a week or longer. 2
IT lifecycle management – the cost of a data breach rises by 47% to an estimated $1.3m in enterprises that still deploy outdated technology, compared to $836k where all software and hardware are up to date. 2
Data Retention & Collection – enterprises that collect customer data lose 62% more ($1.3m) than peers that do not ($807k). 2
There is a lot of solid data to unpick here, and in terms of research into the economics of cyber-security, this study contains a lot of data you can use to drive a complete change in your enterprise’s approach to confronting a data breach and ransomware attack.
Firstly, it is no question that the financial loss is always going to be limited the sooner the attack is detected: this is straightforward. However, because ransomware operators attempt to mass-exfiltrate the organisation’s data to use as public disclosure leverage in efforts to coerce the ransom payment, detecting and stopping that activity will comprise a key cost-reduction factor. This alone should drive cyber-security investment into the appropriate tools and training for your organisation.
Secondly, anyone who has been working in cyber-security can generally apply the rule of thumb that “the older the IT system, the more vulnerable it is.” For the first time, we now have data to support that assumption, and the near 50% cost of data breach savings by investing and supporting IT Lifecycle management is a number worthy of our attention. Ensuring those older and vulnerable systems are minimally exposed to the internet and protected via MFA, VPN and WAF will help mitigate the exposure. It is highly likely that the biggest increase in organisational cyber-security posture may be the replacement of those vulnerable systems.
Thirdly, the conclusion of holding less customer data does seem to equal less organisational risk: that has always appeared self-evident. Now we can quantify the amount: more than 60% of organisational cost savings are realised in a data breach scenario by reducing data sprawl and archiving non-operational data. With less data to steal from your organisation, the cybercriminals will have far less leverage over it.
So, within your enterprise, who is listening to what companies like Kaspersky and others are saying about the economics of reducing data breach costs? Who can take that data and apply it to your organisation? It is the job of the cyber threat intelligence team to understand the risks, threat models and opportunities for proactive cyber-security recommendations.
The cyber threat intelligence programme works across the organisation to predict attacks and prevent them from happening. It identifies and protects the most vulnerable systems and makes recommendations on opportunities to reduce risk by discovering data that is no longer required: these tasks form the ultimate proactive cyber-security capability of your organisation, and this work could dramatically decrease the cost of a data breach and ransomware attack.
References: