There’s an inconvenient truth in the business community. As many business decision-makers are only too aware, hardly a week seems to go by without a data breach of some form being reported to press, and this year alone has witnessed some major breaches which have affected thousands of people around the world.
Just take a look at the stats. In October last year, DNA testing firmMyHeritage suffered a breachaffecting 92 million people. Fast forward to March this year, and we learnt that the data of87 million Facebook usershad been shared. Then in June,Ticketmaster revealedthat the login information, payment data, addresses, names and phone numbers of almost 40,000 people had been breached. And this was followed at the beginning of September, when hackers got into the systems atBritish Airways,impacting 380,000 transactions.
When they do happen, breaches of all sizes have brutal consequences (even if they are smaller than the examples cited above). Take a look at the retail sector alone – recent studies have shown that 19% of consumers would completely stop spending money with a retailer if the business had been breached, and one-in-three (33%) agreed they’d at least stop shopping there for a while. Can you imagine what losing 19% of your customer base might do to the bottom line? It certainly wouldn’t be a pretty sight.
With new regulations such as the GDPR taking hold, fines are also a big fear factor for business leaders. According to reports, Facebook’s fine for its part in the Cambridge Analytica scandal could have been 1.4bn in the post-GDPR world – a harsh sum even for a global giant like Facebook to stump up. And for small businesses too, the prospect of paying up to 4% of their annual turnover as a fine isn’t a fun one.
Where’s the business case for a budget?
So, the consequences of a data breach – from fines to financial losses and frustrated or deserting customers – are damaging, unnerving, and can put the businesses involved in jeopardy.
Against this backdrop, you might think it’s easy for chief information security officers to justify the need for their budgets. However, recent research[i]from Kaspersky Lab has shown that CISOs are actually struggling to get the budgets they require to fight off the cybercriminals.
There are several reasons for this, including the fact that security is sometimes lumped into the wider IT budget, that budget is being prioritized for digital, cloud or other IT projects, and due to ignorance on the part of the board. However, the most common reason is that it’s hard for CISOs to get budget when they cannot guarantee that their organization will not suffer a breach.
From a business point of view this might make sense, right? After all, if you are a business leader and concentrating on the bottom line, why would you agree to sink budget into a fight that apparently cannot be won? Sensible business protocol dictates that you should only invest where a return is on the cards.
It may sound controversial – to the business leaders reading this, anyway – but, at Kaspersky Lab we think the question: “can you guarantee there won’t be breaches anymore?” isn’t really a question that businesses should be asking. Before we explain why, let’s ask ourselves once again — are breachesreallyinevitable?
What makes cybersecurity breaches unavoidable?
According to our survey results, almost nine-in-ten (86%) CISOs believe that breaches are inevitable. So, what’s behind this certainty?
Well, most enterprises are on a path towards digital transformation, with over half (52%) agreeing that this is the tech trend that will have the biggest impact on the IT security of their organization in the next five years. Digital transformation widens the surface of attack, giving cybercriminals more opportunities to find weaknesses, to creep into systems, and to leak or exploit data. Cloud adoption, the increasing mobility of workforces, and the rise in use of digital channels, are all contributing factors here, increasing the risks.
And this isn’t the only factor that CISOs are up against. What if a malicious insider – an employee perhaps – was to single handedly work against a company, or even combine their efforts with those of an external attacker? To help them through the backdoor, so to speak?
This sort of threat could be especially difficult to identify and prevent in advance. In fact, it’s one of the most feared types of threats among the CISO crowd, with 29% of CISOs agreeing this is the biggest IT security risk facing their organization (second only to concerns about financially motivated cybercrime gangs at 40%).
And while we’re on the topic of financial motivation by the way, if breaching an organization promises to bring substantial gains to the attackers, and those gains exceed the resources they need to organize the attack in the first place, then as far as the criminals are concerned, their efforts are easily justified. They will just keep finding new ways to make their money.
Asking the right questions will lead to the right decisions
There seem to be plenty of reasons – outlined above – why the question ‘can I prevent an attack?’ is not the right one for business leaders to be asking. So whatisthe right question to ask?
Well, if attacks are likely and increasing, the crux of the issue really lies in whether a business can detect an attack quickly enough, and respond comprehensively and quickly enough to minimize its impact.
In other words, it’s becoming increasingly clear that businesses can’t live in the prevention only paradigm anymore. That mindset is simply outdated and out of sync with how businesses today work. When it comes to targeted, highly elaborated attacks, detection and response should instead be the priority.
It’s time to educate business leaders that it’s worth investing in cybersecurity. This is not about guaranteeing the complete prevention of cyber incidents, it’s about raising the price of attack for attackers. It’s about making an attack unaffordable, and not worth their while.
And, more importantly, it’s about getting your perimeter and security team ready to immediately address any attempt to interfere with your organizations’ network. An average breach costs a large enterprise up to $1.23 million — but if you take the necessary measures, this price will drop to a minimum, or even to nothing at all. Now that sounds like a sensible business decision.