Finding the Value

by Hank Berkley
Contributing Editor

There is only one overarching reason to invest in cyber security. It is to save your company money through cost avoidance. That savings might come from avoiding legal expenses from a data breach or from not paying penalties imposed by regulators. These types of losses are frequently the ones presented to justify security spending as they are the most obvious, but they are not likely to be the ones you should be most concerned about.

In the quainter times of a few years ago, people believed in the concept of privacy. The idea is being abandoned as the reality of our world of big data and cell phone tracking is being recognized by more people daily. Twenty years ago, “I Know what You Did Last Summer” was a science fiction film. Today everyone knows what you did. So why are we so focused on protecting information that is already out there?

Last year a marketing company in Florida was required by law to reveal that it had a data breach and a significant amount of personal data was taken. The company probably spent over $50 million to deal with the loss. What seemed to be lost on most people is that this same company would have gladly sold the same data to any company willing to pay for it. The only loss in that situation was that the marketing company did not get paid for the data that it would regularly sell. Individual privacy was not impacted – because there wasn’t any to lose.

Despite the change in the perception of the value of personal data, most compliance regulations focus on this area. Most FUD (fear, uncertainty and doubt) that is spread by security purveyors references the cost per lost data record as their primary cost justification. While there is some truth to this, those costs are declining. On the dark web the cost of buying a stolen credit card or a list of social security numbers has been steadily falling. Notification costs to individuals whose data was compromised are dropping and credit monitoring has become de rigueur. As the value of stolen data drops, hackers are moving to more profitable operations.

Does this mean you should invest less in cyber security? Unfortunately, no. While the cost of data breaches may be going down, the cost of other potential losses is increasing. Ransomware infections can shut down your entire business and most companies are not adequately insured for the loss if at all. Hackers who gain access to manufacturing floor systems can halt production and even destroy equipment. Why would someone try to transfer data out of your business when it can transfer money out of your bank account?

Many executives don’t realize the level of integration between aspects of their own businesses. In fact, many of the decisions to integrate things are made at levels fairly deep in the organization. Who makes the decision about which burglar alarm system to use? Does that person understand that there are intrinsic risks to having an alarm system that is tied to the internet and a cloud provider? Does the office manager who orders a small, desktop printer understand how it potentially opens your infrastructure to malware spread by an employee’s cell phone?

These scenarios are not meant to scare anyone but meant to suggest that having a well planned security program and not just a bunch of point solutions is important. As our businesses become more automated and more integrated, they become a greater target for those looking for financial rewards as well as for those who just want to cause you harm. We need to think more about protecting the places where the bad guys are moving and not where they were. Data breaches continue to be an issue – particularly around intellectual property (IP) – but it should not be the exclusive, or maybe even principle, focus of a cyber security plan.