How to prevent data breach hell? Craig Hinkley, CEO of Whitehat Security, has the answers.
A data breach of any kind will always be damaging, but recent research into the financial impact of some of the most high profile breaches in the last few years suggests they can be even more detrimental than previously thought, particularly for publicly-traded companies. Record-breaking fines, plummeting share prices and sky high legal fees are, unfortunately, all par for the course.
According to the research, the average cost of a data breach amongst public companies currently stands at an eye watering $347 million, but for some it can be much, much higher. For example, Marriott’s 2018 data breach is expected to ultimately cost the company well over $1 billion once the dust has finally settled.
The cyber-attack shockwave lasts long after an initial breach
Another recent study into the impact of cyber-attacks on stock market activity found that breaches not only do significant damage to an organisation’s reputation in the immediate aftermath, they also produce a shockwave that can stunt future growth prospects as well. Share price will almost certainly suffer a short-term hit but over the longer term, dividend payments get lower and R&D investment declines, compromising market position.
Despite this, cyber security remains a painfully under-resourced and underfunded area of many organisations’ business strategies. In fact, it usually takes a damaging breach occurring before any kind of uptick is seen in spending on much needed tools and employees.
Fortunately, spending is slowly on the rise
The good news is that investment in cyber security is slowly starting to increase. The latest data from IDC suggests 2019 spending was almost 10% higher than 2018, topping $103 billion globally. This trend is set to continue as more and more companies finally realise the unnecessary risks they are taking with their sensitive data.
However, after years of neglect and underfunding, many companies have no idea where to start when looking to improve their cyber defences. As a result, they often waste money on products and solutions that simply aren’t suited to their actual security needs.
For instance, web application vulnerabilities have been the biggest cyber security risk for a number of years, yet only 3% of current IT spending is going towards web application security, which begs the question; where is the other 97% going?
Building a cyber-safe organisation takes planning and collaboration
As cyber threats continue to evolve and expand, organisations must be much more vigilant and proactive in the way they protect themselves, which takes good communication and collaboration at all levels of the business.
It is critical that leadership teams to ensure they’re doing all they can to build a robust cyber defence that can keep their sensitive data safe at all times. Below are five key steps to consider in this process:
Start with existing technology and employees: Assess current management programs and technologies that help minimise insider threats through user behaviour monitoring and employee education. Regular training on company policies, data security best practices, as well as ways to identify and prevent ransomware attacks can be extremely beneficial.
Build strong relationships at the executive level: Strong partnerships between cyber security and business executives can lead to a much clearer understanding of the main threats faced by the business and the right level of resources needed to put effective defences in place. Regular planning meetings between senior security staff and other members of the board will help identify new risks and ensure clear lines of communication are in place whenever they are needed.
Don’t be afraid to make use of outside perspectives: When it comes to analysing and assisting with security budgets, risk management, technologies, and staffing, don’t be afraid to consider bringing in independent consultants. While every business and risk profile is unique, expert third parties can provide benchmarking against peer institutions, offer deep security knowledge and deliver impartial viewpoints.
Don’t rest on your laurels, conduct regular risk assessments: Security officers should be encouraged to conduct comprehensive audits on an annual basis - or as often as the business deems necessary - to identify the biggest threats and security gaps, and then prioritise security needs accordingly. Any major changes to the business, such as new acquisitions or business partners, should also trigger a new security assessment. Thorough investigations should be conducted as the business grows, introduces broad technology changes or reduces company headcount. On the flip side, redundant technologies should also be reduced or removed wherever possible.
Consider taking out a suitable cyber insurance policy: Cyber insurance provides a company with the necessary assistance to deal with any investigations, lawsuits or privacy violations that may result from a data breach. Like any insurance policy, it’s important to re-evaluate cover over time to ensure it stays aligned with current risks and ongoing market activity.
As the potential fallout from a cyber-attack becomes increasingly severe, it’s clear that businesses can no longer bury their head in the sand and hope it doesn’t happen to them.
Cyber security is everyone’s responsibility and leadership must give it top billing on the corporate agenda if they truly want to keep their sensitive data (and that of their customers) safe from the growing number of cyber-criminals hoping to get their hands on it.