A new study by the Centre for Economics and Business Research (CEBR) has revealed that hacking is costing UK businesses some £34bn a year. The CEBR said that the £34bn is split between £18bn in lost revenue owing to the attacks and £16bn in extra investment in security systems: Visit HERE
In response to the findings of the study below are the comments from security experts at Tripwire, Imperva, ESET and Proofpoint :
Lamar Bailey, director of security R&D at Tripwire:
“UK businesses are spending about as much on security as they are loosing in revenue due to attacks this calls into question the ROI for all theses security products. Businesses need to invest in integrating products and controls into their business practices instead of just buying a lot of products that are not integrated. When organizations buy a lot of products without integration they wind up with data overload and this makes it hard to prioritize and respond to vulnerabilities and threats.”
Itsik Mantin, director of security research at Imperva:
“I think these numbers are optimistic, counting only the explicit cost of hacking, but ignoring the implicit cost, which can be as high. Breaches have significant impact on the hacked brand, and on the readiness of the end user to deposit his privacy in the hands of this brand.
Furthermore, from an industry perspective, every breach affects the overall trust of individuals in computerized systems. The list of breaches from the last couple of years, show that cyber-attacks are here to stay, and their volume and impact will continue to grow. Regulation equivalent to the US breach disclosure law, covering breaches involving personal identifiable information (PII) can be an important step towards joint efforts to improve the situation. However, the battle will continue, and the most important lesson is that if you won’t protect your system it will be hacked, and that predicting the impact of this hack is close to impossible.”
Mark James, security specialist at ESET:
“It’s no surprise that this much money is being lost/invested in cyber-attacks. Sadly, business today still do not see the viable threat of an attack by cyber means. It’s still seen as something that only happens to the “big guys”, our data is not important or our business is too small to be of consequence. The sad truth is, all data has a value and all companies have a risk they must accept. Therefore, they must ensure they have means in place to not only thwart these types of attacks, but should also have processes in place to monitor data movement. Cyber-attacks should be considered alongside staff security issues as well as a clear defined statement in the staff manual. Regular information and training, if necessary, should be on hand as your staff are your weakest link but could also be your strongest defence.”
Mike Smart, security strategist at Proofpoint:
‘Organisations of all sizes should take note of this report. Those organisations that fare better than others against the tide of hackers and attackers are those that see past a prevention-only approach. Most of us will acknowledge that there is always a risk of an attacker getting through our defences; ‘we have to right every time, they have to get it right just once’!
Whilst it is always necessary to continue to review and update your defences (in terms of process and technologies) to maintain the best level of defences, organisations also need to be better prepared – for example ensure you have a response plan, and just like conducting regular fire drills to test systems, processes and employee awareness, organisations should hold regular ‘Cyber Drills’.
Understanding areas of vulnerability and risk (like staff awareness, vulnerable process and technologies) and then building a plan to remediate these vulnerabilities will reduce the likelihood of an attack, or will minimise the impact of an attack.
But once we get over the hurdle and acknowledge there is no such thing as risk-free IT, then the next logical step is detection. How quickly can we detect something is wrong and remediate this? New advanced detection technologies and tools are essential to find those hard to see attacks, but it’s also just as important to be prepared to respond as quickly and decisively as possible.
The best response plans ensure we have good people with the right skills, good technology to present insight and visibility into the impact and scope of the attack and good process to ensue things run smoothly.
This sometimes seems out of reach to the smaller organisation, but on the contrary, even the smallest business can be better prepared: it could be as simple as having a phone number ready that they can call in the event that something happens so they can bring in the right people to help contain attacks.’
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.