While the growing risk of cyber attacks is relatively well known, it appears that organisations are still unaware of the full financial and reputational costs that a data breach can bring. Indeed, a recent survey conducted by the Ponemon Institute revealed that organisations are underestimating the long-term financial costs and time it takes to recover from a breach by up to a half.
Existing contracts and prospective business opportunities are at stake, therefore it is crucial that organisations open their eyes and become fully aware of the consequences in order to take the necessary steps to protect the data that they have been entrusted with.
A major issue is that there is a serious discrepancy between what organisations perceive to be the repercussions of failed security and what they actually are. While it is no secret that organisations are becoming more anxious about the possibility of a breach, by undermining the consequences, organisations are failing to prepare themselves as they should.
Being alert to the threats and psychological techniques used by cybercriminals is essential if an organisation is to successfully address any potential security gaps, such as employee ignorance. For example, despite 48 percent of UK organisations who have suffered a breach stating it damaged their reputation (with nearly a third forced to downsize due to a loss of customers), 58 percent of those who have not yet become a victim still believe their reputation would be untarnished.
In addition, it is not just existing business contracts that are at stake – so too are future revenue opportunities. With sophisticated and emerging methods of attack, such as spear phishing, ransomware – where a computer is held hostage until the victim pays a requested sum of money – and zero-day malware posing such a huge threat to security, it could be disastrous to underestimate the long-term impact of failed security – and in turn, spend less time and money on defending the network.
What is worrying is that a growing number of organisations are not just experiencing one breach, but often three, four, or even more, suggesting that they are simply not taking the severity of a data breach as seriously as they should. If they realised that the average cost of customer acquisition rises by £91,985 after a breach, the time and effort placed into combating an attack would probably be much higher.
Currently, nearly three quarters of UK organisations use informal observations from supervisors and managers to assess security risk, with only five percent using internal or external audits. This is a relatively lax way of identifying security threats. With regards to how much money is spent, organisations only tend to dedicate an average of 13 percent of the total IT budget to security, which, when considering that the likelihood of an attack is high, is an arguably low proportion.
However, while this may be lower than expected, what is most important is how this is invested. It is absolutely critical that investment is directed at the most suitable defences against modern day threats. Indeed, even if 50 percent of the budget is invested in security solutions, it would do no good if they are inadequate to protect against these sophisticated threats. It is much more important to ensure any budget is invested in a solution that will ultimately protect confidential data amid today’s rapidly changing threat patterns.
Ignorance is not bliss
Essentially, organisations need to consider themselves at war with the ‘bad guys’. A war involves working out your opponent’s tactics and building up a defence should they attack – and this is exactly what is happening in today’s world of cybercrime.
Cybercriminals are simply looking for weaknesses or holes within organisational security strategies and then exploiting them. The first line of defence for any organisation is to pre-empt the hacker’s next move, which is why raising awareness and educating employees is crucial. By knowing what to look out for, organisations are less likely to fall victim, placing them in an already strong position.
As a result, one of the biggest pitfalls for an organisation is ignorance. With stories of high-profile breaches published daily, there is no excuse for nonchalance when it comes to understanding exactly what is at stake and what they need to do to defend themselves. Organisations need to know what the full repercussions are in order to appropriately readdress existing security practices and ensure they are as well protected as possible.
As well as raising employee awareness of cybercriminal tactics, organisations must consider a more holistic approach to security. Businesses are without doubt more vulnerable than ever, meaning they cannot afford to become absent-minded and rely solely on outdated perimeter solutions.
Today’s threats are just too sophisticated. Instead, they must invest in a layered security suite that includes application control and system-restore methods. By understanding today’s attacks and acknowledging the consequences, organisations will be fully prepared should malicious malware infiltrate the network – a likely occurrence if you go by today’s news stories.