[BreachExchange] How Can 73 Percent of Companies Not Be Prepared for Hackers?

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 23 10:20:14 EST 2018


A new report reveals a stunning level of apathy about cybersecurity among
businesses in five nations under continuous attack by hackers.

Chicago-based insurance company Hiscox commissioned a survey of more than
4,100 organizations and found that 7 out of 10 were not prepared for a

This institutional lethargy persists even in the face of steadily rising
cyber threats, as highlighted in consultancy Risk Based Security's 2017
Data Breach QuickView Report issued earlier this month. That report tallied
up 5,207 breaches, and over 7.8 billion records exposed in 2017, surpassing
previous high marks for both by more than 20 percent.

Indeed, some 45 percent of the executives and IT professionals who took the
Hiscox poll said their organizations--based in the US, UK, Germany,  Spain
and the Netherlands--experienced at least one cyberattack in the past year,
while two-thirds suffered two or more attacks.

This is the back story to the never-ending parade of high-profile data
breaches that hit the daily news cycle with numbing regularity. Equifax,
Yahoo, Uber et. al remind us how even large enterprises--companies that
spend millions on security--routinely fail at defending their networks and
protecting their customers' private information.

The Hiscox study found the costs of cybercrime ranged as high as $25
million for one U.S.  incident, and $20 million each for individual attacks
in Germany and the UK, respectively. The average cost for all attacks
reported by the poll takers: $229,000.

Have, Have-Nots

There's no question cybersecurity is a complex, continually evolving
challenge. Just as clearly, the substantial collective defenses put up by
the business and government sectors--an annual $93 billion global market
for cybersecurity products and services--isn't enough.

To be sure, there are innovative technical solutions and best practices
standards aplenty. But somehow the much-discussed combination of
technology, processes and training, a combination that is known to slow
cyberattacks, has not yet taken root in our collective approaches to

"Despite the criticality of security, it is becoming a world of haves and
have-nots," observes Brian NeSmith, CEO of Arctic Wolf, which supplies
security services to smaller businesses. "It's a problem that cannot be
solved by just buying products because it requires a level of in-depth
expertise and dedicated personnel."

On average the 4,100 companies participating in the Hiscox survey reported
spending $11.2 million a year on IT, with 10.5 percent of that budget spent
on cybersecurity. Smaller firms, in particular organizations with fewer
than 250 employees, tended to devote a smaller proportion of their IT
budgets to cybersecurity--9.8 percent on average versus 12.2 percent for
larger organizations.

If you're not flabbergasted, you should be. First of all, the idea that
cybersecurity is a subset of IT is about as respectable as the idea that
non-securitized mortgage derivatives are the best way to invest your
child's college fund. Cybersecurity should be the starting point, and it
should have global oversight with an organization.

Network disruptions and data theft tends to be much more debilitating to
small and mid-sized businesses, than to large enterprises with hefty
resources.  "While their IT budgets are likely more modest, smaller firms
need to make sure that an appropriate proportion of this budget is devoted
to cybersecurity," says Dan Burke, Hiscox's head of cyber products in the
U.S. "There are ways to prepare your business that don't require a
significant financial spend."

Well-Defined Strategy

You can do something even if you own a small business. For starters, get
some help crafting and implementing an effective cyber incidence response
plan; also, train and encourage your employees to practice cyber hygiene.

While you're at it, look into outsourcing some routine security tasks to a
service provider. There are many out there, and service packages are
steadily becoming more cost effective for smaller firms.

"Security operations center service providers offer many of the things you
need for advanced threat detection and response, replacing the need to
build this capability in-house," offers Arctic Wolf's NeSmith. "Depending
on your budget and needs, going with a service may be the fastest and most
cost-effective way to execute a smarter cybersecurity strategy."

There's no easy answer when it comes to cybersecurity. The Hiscox report is
yet another reminder that we remain entrenched in an escalating war of
attrition that demands our constant attention. At the moment, and for the
immediate future, cyber criminals have the upper hand. This means every
consumer, every employee and every company leader must take privacy and
security much more seriously.

Here's sound counsel from Hiscox's Burke: "Businesses must have a clearly
defined cybersecurity strategy in place. Elements should include a formal
budgeting process, well-defined decision structures and processes, and an
awareness of changing compliance requirements.

"Businesses should engage a broad range of stakeholders . . . part of this
process includes having one or more roles dedicated to cybersecurity with a
dedicated support team, if possible, and making sure this person is
measuring the business impact of any incidents and implementing security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180223/0ade23fa/attachment.html>

More information about the BreachExchange mailing list