Last fall, the multinational cybersecurity firm Kapersky Lab
surveyed 5,500 organizations in 26 countries on the costs associated
with security breaches. According to the study, 90% of businesses
surveyed reported that they had experienced a security “incident.”
On average, large enterprises spent $551,000 recovering from an
attack, with small to mid-sized businesses spending $38,000. And,
according to Kapersky Lab, these are just the direct costs related to
a breach, which generally include not only the hiring of outside IT
expertise, lawyers, risk management consultants, and PR services,
but also the expense of downtime and compromised brand reputation. The indirect cost of security breaches––dedicating funds to
making sure the company isn’t attacked again––cost large organizations an average of $69,000 and small to mid-sized businesses $8,000.
Granted, these statistics should be taken
with a grain of salt. Kapersky Lab offers
security-related products and services,
and therefore stands to benefit from
generating concern among business
leaders who are, for all intents and pur-
poses, potential clients. But numbers
aside, Kapersky has an extremely valid
point: When it comes to security
breaches, no one is safe. Remember
Target, Sony…the U.S. government?
And while it’s the big firms that make
headline news, small to mid-sized busi-
nesses are just as vulnerable.
“Anyone with money in a bank
account, any sort of personal identity
information—including [that of]
employees—or intellectual property
is a target,” said Bob Weiss, CEO and
chief technician at IT services firm
WyzGuys. Sometimes hackers will
attack a smaller organization in the
interest of accessing a larger one that
does business with it. “A small vendor
with network access to a large customer
company may be targeted as an entry
point to the customer company,” he
explained. Case in point: Target was
hacked through an HVAC vendor.
The tendency among many organi-
zations is to attempt to prevent breaches
outright––a noble concept, but one that
some security specialists argue isn’t very
effective. “Instead of trying to prevent a
security breach, I recommend anticipat-
ing one,” said Michael Santarcangelo,
founder of cybersecurity consultancy
Security Catalyst and author of Into the
Breach: Protect Your Business by Manag-
ing People, Information, and Risk.
This mind-set, Santarcangelo argues,
leads to the questions that set up orga-
nizations to prepare appropriately:
What information does a business have
that would interest an attacker? Who
are its suppliers? Who are its custom-
ers? What customer information would
hackers potentially want? How is the
business connecting with its suppliers
and customers? “When a business starts
answering these types of questions, the
process starts to work differently,” he
noted.
One of the ways a business can
prepare for––and in this case, possibly
prevent––a breach is to minimize its risk
exposure. Santarcangelo encourages
businesses to offload certain noncore
functions, citing credit card processing
as an example. “Although getting paid
is important, most firms aren’t in the
credit card business,” he said. “There
Breach brush-up
Cyber attacks are going to happen, say experts,
so companies should be more concerned with
preparation than prevention. by Carolyn Heinze
©
IS
T
O
C
K