Several recent reports warn of a high level of complacency among organizations about the risk of cyber security and espionage attacks. The assumption is that these attacks only target government, military and high-profile organizations, but the data shows that this increasingly isn’t true. Companies are warned to not underestimate the likelihood that they will be a target.
No target is too small or too large. The methods used to gain access to data are numerous, wide-reaching and ever-growing. The compliance and disclosure mandates are substantial. And the cost of cyber security is only growing.
Are you concerned? The Verizon 2013 Data Breach Investigations Report warns of a high level of complacency among organizations about the risk of cyber security and espionage attacks. The assumption is that these attacks only target government, military and high-profile organizations, but Verizon data shows that this increasingly isn’t true. The researchers warn not to underestimate the likelihood that your organization will be a target.
More research from the Ponemon Institute, the 2013 Cost of Cyber Crime Study, finds that cyber attacks have become common occurrences with companies experiencing, on average, two attacks each week, an increase of 18% over last year. And the cost of cyber crimes continues to grow, 26% more than the previous year, to surpass an annualized average cost per company of $11 million.
The problem is two-fold: smarter, more aggressive bad guys and more regulatory and compliance mandates. Both are driving companies to spend more resources.
Start with the bad guys: they have gotten smarter and their attacks stealthier, which makes them more difficult to detect, according to Ponemon. And, the attacks last longer, often referred to as Advanced Persistent Threats (APT).
From the organization’s standpoint, they are incurring costs because there are more regulatory and compliance requirements, according to Ponemon, especially in highly regulated industries like financial services, defense contractors, and critical infrastructure companies. They are being forced to respond with more proactive security entailing more and better forensics, discovery, and containment. Security breaches not only are a threat to the company but a costly, seemingly unending headache.
Says Larry Ponemon in a published piece: Four years ago, when we started to do this analysis, some organizations weren’t doing enough on the detection and forensic side. Now, we’re seeing very few organizations taking a willy-nilly attitude and neglecting the up-front investigation.
Neither report sees any letup in the attacks, at least in the short term. Rather than let your guard down prepare your team and your budget to wage an ongoing and increasingly costly battle. Not doing that, however, can be even worse.
Still, Ponemon is optimistic. He sees people and technologies coming together to initiate better defensive strategies and capabilities. These include the deployment of security intelligence enhancing technologies like Big Data analytics that allow your team to effectively identify the problems and real-time predictive analytics that can enable you to thwart an attack, even one in progress.
These technologies aren’t cheap. Ponemon expects a healthy increase in cost over the short term. In the long term, however, he sees costs actually decline as organizations get better at beating back cyber criminals.
In the meantime, Verizon suggests eight steps you should take now:
- Eliminate unnecessary data; keep tabs on what’s left
- Perform regular checks to ensure that essential controls are met
- Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness
- Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs) that can greatly assist defense and detection
- Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology, especially analytics
- Regularly measure things like the number of compromised systems and mean time to detection, and then use these numbers to drive better practices
- Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a one-size-fits-all approach to security
- Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal
Nobody wants to divert resources for this level of security but not doing so could have an even worse impact on the balance sheet.