Sunday, April 24, 2022

Think You Will Never Be Hit Because You Haven't Been Yet? If So, The Financial Costs Will Be Much Higher

 


Every day, we keep hearing about how companies are being attacked.  But when you read these kinds of headlines, take a moment or two really analyze it. Have you noticed that the actual dollar amount of the security breach is really never revealed? 

At most the only metric revealed is how many people have been affected, or how many PII datasets have been heisted and sold onto the Dark Web.  I can see where companies are coming on this, they don’t want to reveal too many metrics in terms of loss.

After all, this will lead to a horrible degradation in the image of their brand, and even potentially mean lost customers.  The only way that we really find out what the true cost of a Cyber or even a data breach is when a large Cyber company that specializes in market research actually takes the time to create a survey, and polls a number of respondents in order to get a range of what the true dollar amount actually is.

These kinds of surveys are done randomly, but the ones that tend to follow a regular schedule are the reports from companies like Verizon and IBM.  But as I was perusing the news headlines trying to decide on what to write upon, I came across an article which discussed a newer kind of survey, and this one was conducted by a firm known as Forrester Research, a leading market research company.

Their report is entitled "The 2021 State Of Enterprise Breaches”, which actually came out on April 8th.  As usual, they found some interesting stuff, so here is a summary of it some of the major findings:

*There is really no direct correlation between the total number of security breaches that happen in a given time period, and the total financial cost that is related to it.  For example, a lot depends upon the geographic location of the impacted business, and how ready they were to respond and combat to it.

*It took the average American business about 38 days to discover a security breach, but to actually recover  from the breach took almost 2x as long, at about 62 days. 

*Another interesting finding is that businesses that had some of incident response plan, the cost of the security breach was lower, and the average here was at $3.0 million.  But those that did not have such a plan in place, the cost to recover was much higher, at $4.0 million.

*In other words, there is a huge financial gap between those that are even semi ready to respond to a Cyberattack and those that have nothing in place to respond.  This so called “disparity value” has been tagged at well over $600,000.00

*Believe it or not, the United States had a quicker time on average to respond to a security breach when compared to the other geographic regions around the world.  For example, in the pool of respondents, 59% of American businesses suffered, whereas 63% of the respondents from different parts of the world suffered from an attack.

*Businesses that are located in Europe had the quickest time to respond, primarily because they are so heavily governed by the GDPR. 

*Although it is not a huge surprise, this report also discovered that those businesses that had some sort of response plan in place suffered the least in terms of financial loss.

This study also discovered another key finding.  It appears that many of the respondents are still overly concerned with Cyberthreats that occur from the external environment, than versus what can happen in the internal environment.  Here are some of the key findings in the regard:

*47% of the respondents viewed Cyber threats from the external environment as a top priority, but only 34% of the true Cyberattacks came from the outside world.  Of these, it was discovered later that 24% of these breaches actually came from an internal source, and 21% of them came from a third party supplier, who supposedly was traded.

My Thoughts On This:

Overall, the findings of this research study is depicted below in the illustration:


https://www.darkreading.com/attacks-breaches/more-than-60-of-organizations-suffered-a-breach-in-the-past-12-months

From the information I have provided in this blog, I can come up with two conclusions:

*The Insider Threat is real, and will become even more predominant as companies still stay heavily focused on the external environment.  There needs to be a balance between both worlds, but perhaps a greater emphasis needs to be placed on what is going on within a business.  Given the threat environment today, this is even more crucial than ever before.

*The old mentality of:  “If I have never been hit, I will probably never get hit” needs to go away quickly.  But of course, everybody is entitled to think how they want to, but it is in your best interest to have some sort of incident response plan in place. And, this study proved it:  Those businesses that were impacted but had some sort of plan in place to respond faced a lower financial toll than those entities that did not have anything.

Finally, I think that it should be a federal requirement of some sort that companies, no matter how large or how small, or whatever industry they are in, need to fully disclose at some point in time the average dollar figure of the security breach that they have experienced. This is the only way that Corporate America will finally wake up and smell the coffee to the realities of the Cyber threat environment.

Finally, the Forrester Report can be downloaded at this link:

https://www.forrester.com/blogs/breaches-by-the-numbers-adapting-to-regional-challenges-is-imperative/


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...