A solid cybersecurity foundation is built on confidentiality, integrity and availability.
The year isn't over yet, but the news has been filled with a continuous series of data breaches. Point-of-sale systems at Arby’s stores were infected with malware that collected payment information, adding the restaurant chain to an ever-increasing list of victims. Chipotle recently suffered a similar attack. Just last month, nearly half of Americans may have had their personal information stolen in the massive Equifax data breach. Not all attacks have a clear payout: in April, emergency sirens in Dallas, Texas were set off more than a hundred times over a couple of hours, leading to a wave of 911 calls.
Totaling the Costs
The threat of ransomware, which encrypts its victims’ computers, offering to decrypt them in exchange for a payment, continues to grow. One example is WannaCry, which impacted hundreds of thousands of computers around the world, from airports to hospitals, this past May. Then there was Petya/NotPetya, which initially appeared to be a form of ransomware but turned out to be a “wiper,” leaving its victims unable to decrypt their data—even if they paid the ransom. After data was stolen from HBO’s network, its attempt to pay the hackers was ignored, and the data (which included episodes of Game of Thrones) was leaked online.
WannaCry is estimated to have cost up to $5 billion worldwide, but that figure is spread across a massive list of companies. The cost of the Arby’s breach is still being calculated—though an IBM study estimates the average data breach costs $141 for each lost or stolen record, and often there are tens of millions of such records involved. That number considers factors such as post-breach customer loss, detection and escalation, and post-detection costs, such as legal fees and customer notification costs.
One of the better documented breaches in recent years was Anthem’s breach in 2015, one of the largest in corporate history. When the records of nearly 80 million people were compromised, the company spent more than $260 million: $2.5 million on expert consultants, $31 million on initial notifications, $112 million on credit protection for victims, and $115 million in security improvements. Home Depot’s 2014 breach cost the company more than $179 million, and a 2013 breach cost Target at least $290 million, of which only about $90 million was expected to be covered by cybersecurity insurance.
It should be obvious at this point that everyone should be investing in cybersecurity. In addition to the financial costs, businesses are impacted in many other ways, including downtime from discovery through recovery, the loss of critical information, and a loss of confidence, affecting both customers and employees.
A Secure Foundation
So how can companies protect themselves? A solid cybersecurity foundation is built on confidentiality, integrity and availability. That translates to the right people (and only the right people) having access to uncorrupted copies of information when they need it.
For some companies, this means having a dedicated team of cybersecurity professionals, ideally separate from the rest of the IT staff. In a small business environment, it often makes more sense to find an outside company to help. Information security companies can provide a range of services, from writing security policies and configuring network monitoring, to incident response and forensic investigation, to penetration tests and phishing tests. Even with all this in place, many companies protect themselves with cybersecurity insurance, the same way a car is protected by auto insurance.
While the aforementioned examples may all have been large companies, the threat against small businesses continues to grow as well. Good hackers are smart. They know that while small businesses may have a smaller payout, they’re also more likely to lack the resources to defend against an attack, and less likely to detect a breach.
It helps to provide cybersecurity training to all employees of all businesses, whether large or small. Such training typically includes tips such as:
- Updates: Keep your operating system (i.e. Windows, Mac) as well as software and applications (Office, Internet Explorer, etc.) up to date. Updates often include security patches to protect you from the growing list of threats.
- Firewall: While a software version is usually sufficient for your home computer, businesses of all sizes should look to hardware firewalls to better secure its data, especially when it is private customer information.
- Anti-virus/anti-malware: These applications protect you from threats and let you know when there’s something to worry about.
- Password security: Password managers don’t just remember passwords for you; they often help you use better passwords as well. While a note taped to the bottom of a keyboard or stapler might seem secure, it's easy to access for anyone who walks past your desk.
- Phishing: Nigerian princes aren’t the only ones looking to take advantage. Spoofing email addresses so the message appears to come from a different email address isn’t much of a challenge for someone who knows what they’re doing.
Cybersecurity may seem like something that only happens to the other guy, but the list of victims is growing every day. The tangible costs of recovery, the brand cost of customer loyalty, and the need for business continuity all drive home the need to protect businesses of all sizes from the growing list of cybersecurity threats. As former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” iBi