Every day, we keep hearing about how companies are being
attacked. But when you read these kinds
of headlines, take a moment or two really analyze it. Have you noticed that the
actual dollar amount of the security breach is really never revealed?
At most the only metric revealed is how many people have
been affected, or how many PII datasets have been heisted and sold onto the Dark
Web. I can see where companies are
coming on this, they don’t want to reveal too many metrics in terms of loss.
After all, this will lead to a horrible degradation in the
image of their brand, and even potentially mean lost customers. The only way that we really find out what the
true cost of a Cyber or even a data breach is when a large Cyber company that
specializes in market research actually takes the time to create a survey, and
polls a number of respondents in order to get a range of what the true dollar
amount actually is.
These kinds of surveys are done randomly, but the ones that
tend to follow a regular schedule are the reports from companies like Verizon
and IBM. But as I was perusing the news
headlines trying to decide on what to write upon, I came across an article which
discussed a newer kind of survey, and this one was conducted by a firm known as
Forrester Research, a leading market research company.
Their report is entitled "The 2021 State Of Enterprise
Breaches”, which actually came out on April 8th. As usual, they found some interesting stuff, so
here is a summary of it some of the major findings:
*There is really no direct correlation between the total
number of security breaches that happen in a given time period, and the total
financial cost that is related to it.
For example, a lot depends upon the geographic location of the impacted business,
and how ready they were to respond and combat to it.
*It took the average American business about 38 days to
discover a security breach, but to actually recover from the breach took almost 2x as long, at
about 62 days.
*Another interesting finding is that businesses that had some
of incident response plan, the cost of the security breach was lower, and the
average here was at $3.0 million. But
those that did not have such a plan in place, the cost to recover was much
higher, at $4.0 million.
*In other words, there is a huge financial gap between those
that are even semi ready to respond to a Cyberattack and those that have nothing
in place to respond. This so called “disparity
value” has been tagged at well over $600,000.00
*Believe it or not, the United States had a quicker time on
average to respond to a security breach when compared to the other geographic
regions around the world. For example,
in the pool of respondents, 59% of American businesses suffered, whereas 63% of
the respondents from different parts of the world suffered from an attack.
*Businesses that are located in Europe had the quickest time
to respond, primarily because they are so heavily governed by the GDPR.
*Although it is not a huge surprise, this report also discovered
that those businesses that had some sort of response plan in place suffered the
least in terms of financial loss.
This study also discovered another key finding. It appears that many of the respondents are
still overly concerned with Cyberthreats that occur from the external
environment, than versus what can happen in the internal environment. Here are some of the key findings in the regard:
*47% of the respondents viewed Cyber threats from the external
environment as a top priority, but only 34% of the true Cyberattacks came from the
outside world. Of these, it was discovered
later that 24% of these breaches actually came from an internal source, and 21%
of them came from a third party supplier, who supposedly was traded.
My Thoughts On This:
Overall, the findings of this research study is depicted
below in the illustration:
From the information I have provided in this blog, I can
come up with two conclusions:
*The Insider Threat is real, and will become even more
predominant as companies still stay heavily focused on the external
environment. There needs to be a balance
between both worlds, but perhaps a greater emphasis needs to be placed on what
is going on within a business. Given the
threat environment today, this is even more crucial than ever before.
*The old mentality of:
“If I have never been hit, I will probably never get hit” needs to go
away quickly. But of course, everybody
is entitled to think how they want to, but it is in your best interest to have some
sort of incident response plan in place. And, this study proved it: Those businesses that were impacted but had
some sort of plan in place to respond faced a lower financial toll than those entities
that did not have anything.
Finally, I think that it should be a federal requirement of
some sort that companies, no matter how large or how small, or whatever
industry they are in, need to fully disclose at some point in time the average dollar
figure of the security breach that they have experienced. This is the only way
that Corporate America will finally wake up and smell the coffee to the realities
of the Cyber threat environment.
Finally, the Forrester Report can be downloaded at this
link:
https://www.forrester.com/blogs/breaches-by-the-numbers-adapting-to-regional-challenges-is-imperative/
No comments:
Post a Comment