Businesses Can No Longer Afford to Ignore the Threat of Cyber Attacks by Sean Chari
Posted on February 04, 2015 by Steve Nouss
On November 24, 2014, Sony Pictures Entertainment was hacked, purportedly in response to a pending movie release. International headlines focused on the salacious details about the Hollywood executives and celebrities mentioned in the breached emails. Widely ignored by the news media was Sony’s lack of protection and monitoring of its IT environment, which exposed the company to significant operational and financial risks. More notably, this was not the first breach of the company’s network.
Sensitive information exposed by the Sony hack included critical corporate data, such as strategic plans and scripts, as well as personal, identifiable information about the company’s employees, including their names, social security numbers and bank account numbers. For Sony CEO Michael Lynton, unencrypted emails revealed personal bank and credit card account numbers and login passwords as well as images of his family members’ passports and social security cards. The attack shines a light on the all too common corporate culture of inadequate security practices and the misguided perspective that IT-related risks are not critical to business operations.
News Flash: IT Security is Critical to Business Success
Budget constraints and perceived lack of exposure to business risks are failing arguments against increased IT controls and network-security vigilance. The costs of an effective IT security control environment are far less than the financial and reputational damages a company will suffer after a hack. Just ask Home Depot and Target. Both spent millions of dollars in clean-up efforts, damages and fines following IT security attacks that resulted in the theft of millions of customers’ credit card data.
Organizations of all sizes and industries are equally vulnerable to a hack. The moment that an organization connects its business to the Internet (for email communications, sales processing, purchasing, research and/or social media) it becomes a potential target for a hacker.
The results of the “2014 Global Report on the Cost of Cyber Crime” conducted by the privacy, data protection and information security policy firm Ponemon, point to some staggering trends:
Cyber crimes continue to rise. The average cost per incident was $7.6 million in 2014, compared to $7.2 million in 2013.
Cyber crime costs vary by the size of an organization. On average, smaller organizations were impacted more negatively by a data breach than larger organizations.
The costs of cyber attacks increase when they are not resolved quickly. On average, businesses took 31 days to contain attacks, at an average cost of $639,642, up 23 percent from 2013. Malicious insider attacks took an average of 58 days to contain.
Security intelligence systems help to reduce costs of an attack. Security intelligence systems that efficiently detect and contain cyber attacks saved companies an average of $2.6 million in cyber-attack mitigation costs. Moreover, the study found that both encryption technologies and advanced perimeter controls with reputation feeds provided businesses with additional mitigation control effectiveness.
Enterprise security governance practices moderate the cost of cyber attacks. Investment in enterprise security governance models, which define and implement effective practices and employ qualified personnel, was found to reduce the cost of cyber attack damages by an estimated $1.3 million.
Businesses’ growing dependency on real-time data analytics and their increased Internet presence and reliance on technology as a whole combined with the level of sophistication of cyber-hackers is cause for alarm. To protect themselves from the myriad of cyber attacks that have and continue to occur, all organizations must take steps to protect their assets and those of their clients. This is especially true for small- and mid-size companies that have fewer resources available to them to contain and respond to cyber attacks than their larger counterparts. For these organizations, the reputational and economical damages of a breach could hamper significantly or shut down their operations.
Regardless of size and complexity, all organizations need to be proactive in employing IT security governance models. These simple solutions provide immediate protection with minimal additional costs.
- Strong Password Controls
- Email Encryption
- Encryption of Critical, Sensitive Files on Networks, Computers and Mobile Devices
- Effective IT Security Monitoring Tools
- Cyber-Liability Insurance Policies. Businesses should discuss this often-forgotten topic with their agents to determine the appropriate types of liability coverage programs that work best for them.
Operating in today’s hyper-connected environment does not come without risks. However, by discussing and employing IT security governance, businesses will be better equipped to contain and even prevent a cyber-attack. Could your organization survive with its current model?
About the author: Sean Chari is a senior manager in Berkowitz Pollack Brant’s Consulting practice. He can be reached in the CPA firm’s Ft. Lauderdale office at (954) 712-7000 or via email at email@example.com