Reducing the Cost of a Breach

The thought of a data breach is enough to send a chill down any business owner’s spine. And rightly so. Last month The Ponemon Institute released its annual Cost of a Data Breach Report, showing that the cost for companies that experience a breach continues to rise. According to the report, data breaches cost U.S. companies an average of $8.19 million per breach — far above the global average of $3.92 million.  

And the news is even worse for small businesses. The report found that smaller organizations suffer higher costs relative to larger ones. While a data breach will cost a large organization $204 per employee, smaller organization see that cost jump up to $3,533 per employee.  

The report also shows that a single breach can have a long-term impact on a business. New in this year’s report is an analysis of so-called “longtail costs” that show how organizations feel the impact or the breach years after it occurred. It turns out that only 67% of the cost of a breach comes in the first year, with 22% in the second year, and 11% in the third.  

Reducing the Cost of a Breach

So that’s the bad news. Luckily, the report also lays out a number of steps that have proven to significantly reduce the cost of a breach.  

Incident Response Plan and Simulation 

By far, the most effective way to reduce breach costs is to respond quickly. The report found that on average it took companies 206 days to identify a breach and another 73 days to contain it. However, those that were able to find and stop a breach in under 200 days saved a whopping $1.2 million.  

The best way to ensure you’re able to response fast is to have a detailed incident response team in place and conduct periodic tests of your response plan. According to the report, the combination of an IR plan and regular incident simulations leads to greater cost savings than any single security process — saving an organization an average of $1.23 million 

Encryption 

The report also shows that properly encrypting your most sensitive data will help reduce the cost of a breach. Encrypting data essentially scrambles up your information so that it can’t be read without a key to unencrypt it. According to the report, companies that encrypt their data on premise, at the endpoint, in transit, and in the cloud reduced the cost of a breach by an average of $360,000. 

Security Automation 

More and more organizations are using security automation such as machine learninganalytics, and incident response orchestration to fast identify and contain system vulnerabilities. According to the report, the cost of a data breach is 95% higher for organizations without security automation in place. There are a number of automated security processes available, but even just conducting regular vulnerability scans will go a long way toward reducing the cost of a breach.  

Customer-Centric Governance

The report also found that companies with effective governance and leadership in place, such as a chief privacy officer or chief information security officer who focuses on preserving customer trust is a key driver in reducing breach costs and maintaining a companies key asset:  it’s reputation.

Keep Things Simple  

Another interesting aspect of the report is that it shows that, when it comes to security technology, more is not always better. Excessive use of third parties, extensive cloud migration, and system complexity all increase the cost of a data breach. It’s therefore important to minimize the complexity of your security technologies where possible.  

Conclusion

All in all, business owners can’t just cross their fingers and hope nothing bad happens. This past year, the chances of a company experiencing a breach in within two years increased to nearly 30% — a statistic that has jumped up by a third in just five years. As the report shows, preparing now can greatly reduce the financial impact if the worst does happen. The thought of experiencing a data breach is enough to make anyone feel powerless, but, from impact reduction to a fully prepared incident response team, there are concrete steps anyone can take to take back control of the situation.  

Public Entities Prime Targets for Ransomware

There have been a number of well publicized ransomware attacks on various public administrations this year. In May, for example, the city of Balitmore discovered a ransomware attack in which a variety of information and services such as voice mail, email, and a system used to pay water bills, property taxes and vehicle citations were stolen. The attack also put a halt on at least 1,500 pending home sales.  

In essence, ransomware is a form of malware where access to databases or computer systems are blocked until the effected entity pays a sum of money. Often, the attackers will threaten to permanently erase the information I the ransom isn’t paid quickly.  

A New Trend

Ransomware attacks on local governments are becoming a real trend. A report published by Recorded Future found that there have been 169 reported ransomware attacks against government agencies since 2013. 

And the number of attacks per year is on the rise. When the report was published in April, there were already 21 government attacks reported in 2019. Since then, ransomware attacks effected not only Balitmore, but also, among others, Lynn, MassachusettsCartersville, GeorgiaGeorgia’s state court system, and three separate Florida municipalities 

To Pay or Not to Pay

Another finding of the Recorded Future report is that governments are less likely to pay hackers. While 45% of all organizations attacked pay the ransom, only 17% of government agencies reported that they paid.  

Whether or not to pay hackers involves a complicated risk-benefit analysis. Not paying can lead to the permanent erasure of important systems and could cost tens of millions to recover. But while ransoms are generally in the thousands, paying the hackers creates incentive for future ransomware attacks.  

Why are Public Institutions Being Targeted?

So, why are government agencies experiencing all these attacks. Well, as it turns out, they are instead considered by hackers to be low-hanging fruit. According to Tyler Moore, professor of cybersecurity at the University of Tulsa, ransomware attacks tend to select victims that rely heavily on information-technology resources, have relatively weak operational cybersecurity practices and have the means to pay substantial ransoms.” And public institutions check all three boxes.  

Government agencies are notoriously out of step when it comes to IT. Budgets for IT systems are often too tight for them to keep up. In fact, the Washington Post reported that the Balitmore attack was only successful because the city had not installed freely available security patches and did regularly backup their information.  

Ransomware hackers are opportunistic. After all, why spend the time breaking into well-secured systems when there are plenty of easy-to-access systems out there? Even the most basic security settings can help prevent ransomware attacks. And in the event an attack does happen, creating regular backups of key systems and having a response plan in place will go a long way toward mitigating the effects of an attack.  

Why We Get Phished

Why We Get Phished

Phishing scams continue to be one of the leading forms of cyberattacks experienced by businesses. In fact, a ransomware attack that targeted Quickbooks cloud hosting firm in July is now believed to have started with a phishing campaign. And according to Proofpoints’s 2019 State of the Phish Report, 83% of respondents said they experienced a phishing attack in 2018 — a 7% increase from 2017. These attacks can be costly. Phishing schemes can lead to financial costs such as fraudulent wire transfers and fines but can also damage a company’s reputation. After all, who doesn’t know how to spot a phish? 

Well, real reason phishing is so successful isn’t as simple as all that. Fundamentally, these are a form of attack that focus less on technical vulnerabilities and more on exploiting the weakest link in any security system: us. Phishing scams have been around for a while, so the scammers have had a long time to hone their craft. As such, they’ve developed complex methods that target human behavior and manipulate us into lowering our defenses.  

Recipe for a Successful Phish

One article published by the Open Journal of Social Sciences published and titled A Study of Social Engineering in Online Frauds” dives deep into the human factors that make phishing schemes so successful. In the paper, the authors pinpoint several effective “triggers.” Of these, three of the most prominent are:  

Authority 

One method scammers use is to impersonate a person or institution that has authority. This includes using markers such as government agencies or professional titles. Scammers also use “official” sounding language create legitimacy, trust, and credibility. 

Urgency 

Another successful tactic is to create a sense of urgency. Such emails include urgent language to stress the need for prompt response, and will often say there are negative consequences for no or delayed responses.  

 Fear 

Phishing scams will also try to provoke fear in the victim. Sometimes these emails will leverage current issues such as natural disasters, health epidemics, or economic concerns. Other times, they will threaten the victim with account suspension or deletion if they don’t take action. 

A Case in Point

One real-world example from a few years ago combined all three of these triggers to successfully target their victims. In 2009, during the height of the swine flu scare, a scammer sent out emails imitating Center for Disease Control and Prevention asking people enter their personal information to create a vaccination profile. The scam used the authority of the CDC and played on the public fear and sense of urgency about the swine flu to successfully steal personal information.  

 

We’d like to believe that we’re smart enough to identify fake emails, but the truth is scammers are using social and behavioral techniques to stop us from using our better judgement. The best way to combat this is to train yourself and your employees on the latest phishing tactics and use due diligence when receiving unprompted emails. By taking simple steps like ensuring the sender’s email address is correct, checking the URL of any links before clicking them, and carefully reading the email can save your company money and the public embarrassment that comes with falling victim to such a common form of attack.  

Unlocking Strategic Value through Cybersecurity Tiering

One main challenge for implementing proper cybersecurity policies is the fact that there is no one-size-fits-all solution. But, in some respects, this isn’t a bad thing. What solutions a business needs depends on several factors, such as size, industry, and the type of data being stored. If every business followed a single set of security solutions, some would end up over-protecting their assets, where others would be under protected.  

There are, however, a number of widely accepted security standards that strike a balance, giving organizations an outline of what protocols to implement based on their overall business strategy. A good example of this is the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) 

And one misunderstood aspect of the NIST’s Cybersecurity Framework is the use of implementation tiers. Rather than being progressive levels that all business should work toward, the tiers exist to relate the firm’s approach to cybersecurity risk management as it exists today with a desired tier level that meets organizational goals and is feasible to implement. Businesses can then go through each control within the framework to address what they are doing today within their current tier context and what they want to be doing to reach their target tier. 

The Tiers

Here is a brief outline of NIST’s four tier levels to help your organization begin to evaluate where you stand now, and where you want to be.  

Tier 1: Partial 

Organizations at this tier are considered to have no formalized risk management practice and respond to threats in a sometimes “ad hoc and reactive manner.”  On the organizational level, risk management is carried out an irregular basis and without any set process to share cybersecurity information throughout the organization.  

Tier 2: Risk-Informed 

The risk-informed tier is for organizations that have risk management practices approved by management but might not be established across all levels of the organization. Cybersecurity processes are prioritized based on the organization’s risk level and business requirements but is only shared throughout the organization on an informal basis.  

Tier 3: Repeatable  

Businesses at this tier have formally approved cybersecurity policies that are well-communicated across all levels of the organization. The organization’s cybersecurity processes are regularly reviewed based on changes in threats and technology. Employees are also properly trained and able to carry out their specific roles related to maintaining the organization’s cybersecurity practices.  

Tier 4: Adaptive  

Finally, organizations in the adaptive tier are those where cybersecurity risk management is a part of the business’ overall culture and effectively adapt their practices based on lessons learned and predictive indicators. Cybersecurity risk and business objectives are fully integrated across all levels of the organization and are considered when making any business decisions.  

Tier as a Strategic Lever

Businesses should not blindly implement cybersecurity controls. Instead, it’s important for organization to think carefully about their position with regards to risk — from the board level, to governance, to marketing — and make informed decisions on where they want it to be.  A benefit of NIST’s tier system is that it can be used to benefit the overall business strategy, and not simply be an exercise in cyber risk management.  That’s because a company’s position and goal with regards to any risk (from cyber risk to market risk to capital risk) is an articulation of the value it brings to its stakeholders.  If a firm is currently at Tier 1 with regards to its cybersecurity, how does that impact it’s value proposition to its customers?  What limitations does it impose on capital allocation?  If the organization worked towards a repeatable tier, what opportunities would be unlocked (and conversely, what markets would they perhaps walk away from)?

Businesses which view the concept of tiers and cybersecurity risk as value creators rather than a compliance exercise will find that it creates sustainable advantages in a marketplace more engaged and attuned in digital protection and privacy.

The Dark Web: Where Privacy Turns Against Itself

It might sound strange, but in an ideal world we’d all be using the dark web. In essence, the dark web is simply a part of the internet that isn’t indexed by search engines. It requires special software that provides a greater level of privacy than what is traditionally offered online, such as anonymous browsing, multi-layered encryption, and the blocking of online trackers.  

But of course, it’s these very privacy settings that have turned the dark web into a space to buy and sell information that undermines the privacy of individuals and businesses. The dark web gained infamy for being a place to find illegal drugs and guns, but more recently it’s increasingly focused on the trading of malware and stolen information. In fact, compared to 2016, there has been a 20% rise in the number of dark net listings that have a potential to cause harm business, with 60% of all listings posing a direct harm to businesses.  

What’s on the dark web 

So, what is exactly on the dark web? Early this year, Bromium released a report that analyzed listings on some of the most popular dark web marketplaces to better understand the threats to businesses that are being bought and sold. Here is a short summary of their findings: 

Network Compromise 

On the dark web, you can actually pay someone to perform hacks and other types of cyberattacks on an organization. For an average of $4,5000 anyone can purchase targeted attacks on an organization, such as denial-of-service attacks (DoS) and remote access trojans (RAT) — a form of malware that gives the hacker administrative control over a network.  

Vendors also sell stolen credentials used to remotely access business networks. These typically sell for only $3-$30.  

Financial Compromise  

The one of the main forms of financial compromise services sold on the dark web are phishing attacks. For just $40 someone can buy a full-service phishing kit that performs email scams and mirrors legitimate web pages to trick employees into providing financial information to the attacker. But if you don’t want to spring for the whole kit, vendors also sell individual fake websites for less than $1.  

Data Compromise  

Perhaps the most popular service offered on the dark web is access to stolen data. This predominately includes access to stole credit card and bank account information. According to the 2018 Financial Services Threat Landscape Report there was a 135% year-over-year increase in financial data sold on the dark web.  

But it’s not just credit cards that are being sold. The Bromium report shows that there is a rising amount of sensitive operational data being traded. According to the report, 15% of all data sold on the dark web involves business information such as company emails, financial information, content related to corporate policy or strategy, project costs, and even minutes for corporate meetings.  

 What You Can Do

With the growing number of threats up for sale online, it’s important for businesses to take steps to prevent these threats from inflicting damage. As a part of your cybersecurity policy, it’s not a bad idea to include periodic monitoring of dark web marketplaces for malware, targeted attacks, and company or customer data.  

Even though the dark web is hidden from traditional browsers, it’s still public information. Taking time to research what is being sold there can greatly help identity and prevent new threats from effecting your organization.