Cybersecurity: How to save, how to plan, and how to stay safe

Cyber Security Month, October 2017

Misconceptions and organizational deficiencies amplify the risk posed by cybersecurity threats. But make no mistake: threats are real, and if you haven’t been paying attention to the news lately, these threats are costing companies and countries worldwide tens of millions, if not billions, of dollars. In fact, it’s estimated that cybercrime costs will double to reach $6 trillion USD in 2021.[1]  In 2016, almost 1.4 billion records were compromised, which is a year-over-year increase of 86%,[2] and means that ransomware is basically now a billion dollar business for cybercriminals.[3]

The recovery process is not easy. Once attacked, the damage done to your company’s reputation could be irrevocable. Yahoo was sold for $350 million less due to its breach affecting one billion user accounts.[4] The latest global ransomware attacks in June 2017 have impacted several large, multinational companies at a level where they had to disclose publicly the impacts on their operations, which in some cases amounted to tens of millions of dollars. Beyond the dollar amount, reputational damage and loss of trust from clients, customers or employees can do far more to affect a company’s longevity. What might resonate closer to home for some (as not all business owners lead massive tech companies): of the roughly 40% of the small- and midsized businesses that were hit with ransomware and paid their attackers, less than half were given their information back.[5]   

The Human Factor
In most instances, the human factor is a critical element for an attack to infiltrate – and it’s not just clicking on malicious links; other opportunities hackers use include identifying: 

  • Poor patch management
  • Lost equipment
  • Dissemination of sensitive information (email, social networks, storage sites)
  • Workers that visit unauthorized sites,
  • Employees inserting infected USB keys into hardware
  • Overly simple passwords or sharing of passwords
  • Non-adherence to policies and procedures

According to Ponemon Institute, the average cost of a breach in Canada in 2016 was roughly $278 / record. If one is to lose, say, 20,000 records, that’s well over $5.5 million – the costs add up! However, a company can save an average of over $80 / record breach via relatively inexpensive initiatives:

Step

Savings

Having a strong incident response plan

$25 / record

Having a strong employee training program

$15.50 / record

Involving the Board of Directors

$12.30 / record

Sharing information about threats

$9.80 / record

Appointing a Chief Information Security Officer (CISO)

$8.90 / record

Having good insurance coverage

$6.70 / record

Having a data classification scheme

$5.60 / record

Total savings:

$1 million + in the event of an attack

Managing a cyber crisis
Beyond the steps above, make sure your cyber crisis is integrated into your culture and organizational processes. How?

  • Practice! Engage in simulations to reinforce the importance of proper reactions (and ensure people know what steps to take!).
  • Stay current. Following your analysis exercises, be sure to update your crisis management plan and business continuity/recovery plans, as well as your IT incident management process.
  • Communicate. Select and arrange the right people around the table (then be sure to update processes to reflect any changes, and practice simulations with new people). It may be cyclical, but it is necessary.

How we can help
Richter professionals can help arrange simulations and run your incident response plans to double check that every process and procedure is covered. Additionally, we recommend running a maturity diagnostic, vulnerability assessments, configuration audits, awareness campaigns and cyber warfare workshops, which are among the many solutions that can help in increasing your cybersecurity maturity.

The Top 10 Checklist

Beyond all else, as part of the management, be sure to complete this checklist:

  1. Take responsibility for information security
  2. Determine your security risk tolerance
  3. Engage in dialogue with resources responsible for security
  4. Prioritize security governance (frameworks, hierarchical positioning, accountability)
  5. Ensure that security-related risks are being assessed
  6. Request that discussions focus on business, rather than technical issues
  7. Consider legal issues and damage to reputation (disclosures, data protection, etc.)
  8. Create a roadmap (with key components: classification, diagnostics, awareness-raising, and implementation)
  9. Reassess insurance coverage
  10. Obtain periodic assessments from a specialized firm

Bonus: don’t overly rely on intrusion testing as a means of total control.

Each initiative requires minimal planning effort from you and your team, but can maximize your ability to respond quickly and effectively to impending attacks.

To begin preparations, contact one of our risk and cybersecurity experts today.

 


[1] “Cybercrime – The Trillion Dollar Business”. Business Insights. 2016

[2] “2016 Mining for Database Gold: Findings from the 2016 Breach Level Index”. Gemalto. 2016 

[3] “Ransomware spiked 6,000% in 2016 and most victims paid the hackers, IBM finds”. CNBC. 2016

[4] “Yahoo salvages Verizon deal with US$350 million discount”. CTV News. 2017.

[5] “Ransomware Payout Doesn’t Pay Off”. DARKReading. 2017. 

Expert Showcase