Another day, another malicious cyberattack? It sometimes seems that we can barely move for headlines about severe corporate data breaches, all too often caused by criminals exploiting existing vulnerabilities in an organisation’s network or processes, or even their security posture and approach.
And the cost of such incidents is not insignificant. The well-respected annual Ponemon Cost of Data Breach Study reported in 2015 that the average total cost of a data breach for a US company is $3.79 million, a figure that has increased heftily since the report began.
Where does this cost come from? The collateral damage from a severe cyberattack can include:
- Loss of customer confidence. End users without a good level of digital trust in a business are highly unlikely to continue sharing their personal information, banking details, and, ultimately, spending money. A high-profile cyberattack can cause a company to haemorrhage customers and therefore revenue.
- Brand or reputational damage. No business wants to be known as sloppy in terms of data security. The PR output necessary to contain and manage a single cybercrime event can be enormous – but even that is dwarfed by the efforts necessary to rebuild brand reputation after the initial incident has taken place.
- Intellectual property loss. Many cybercrime incidents aren’t about wreaking havoc or stealing customers’ details – they aim to steal valuable information internal to the company. If this prevents a new product or service from being launched or patented, the long-term financial impact can be gigantic.
- Stock price. Share prices are liable to plummet after a cyber security incident hits the headlines – leaving a company has potentially millions of shareholders to answer to.
- Regulatory action. In the wake of a damaging security incident, businesses naturally want to fix the vulnerabilities that led to the attack in the first place. But cyber security regulatory bodies will demand far more than a quick fix, with lists of costly actions and regular reviews to put in place.
- Litigation. Compromise customers’ or partner organisations’ information and sooner or later, somebody will sue. The legal costs of such proceedings, and the compensation businesses may ultimately be liable to pay, can be massive.
It is impossible to completely avoid being a target for cybercrime. Indeed, as the Internet of Things (IoT) landscape flourishes and the networks that corporations are part of become ever more complex. Consequently the attack surface is increasing and possible vulnerabilities for criminals to seek out increase and increase. Robert Mueller, former director of the FBI, has argued: “There are only two types of companies: Those that have been hacked, and those that will be.” The days of firewalls and anti-virus software being enough to thwart attacks are long gone.
But there are some principles that all businesses should implement to ensure that their risk is minimised, and that if and when an attack does take place, less information is readily available to be stolen.
Firstly, data security should always be built into a corporate infrastructure from the outset, rather than ‘bolted on’ later. This helps minimise the accidental network vulnerabilities that are all too often cyber criminals’ easiest route in.
Secondly, information should be protected from the moment of creation, rather than separately once it enters transit or storage. This is the principle of true end-to-end information security, increasingly a priority in a world of mobile-to-mobile (M2M) communications.
Thirdly, information security tools and processes should be data-centric, so as to cope with the heterogeneous device landscape that characterises the IoT. It is impossible to depend on every separate IoT manufacturer to build watertight security into their devices, especially when new ones are added to networks every second. A data-centric approach leads with securing information, not devices.
These principles have informed the development of Device Authority's Data Encryption Security Platform, a true end-to-end data protection, privacy and encryption solution. We cannot guarantee that cyber criminals will never target your business – but we can certainly make life very difficult for them if they try.