Business advice: You’ve just been hacked. Here’s why that can be good news.

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.washingtonpost.com/news/capital-business/wp/2015/11/12/business-advice-youve-just-been-hacked-heres-why-that-can-be-good-news/

A cybersecurity breach can leave companies, as well as its customers and
employees, vulnerable. Furthermore, repairing the damage from the breach
can be very expensive. But a major attack can also be good news for
companies with gaps in their cybersecurity defenses.

Sure, it’s counterintuitive. However, the best way to improve an
organization’s cybersecurity might be to have the security gaps exposed
sooner rather than later.

Though no system will ever be 100 percent secure, breaches spur the
evolution from one stage of cybersecurity technology to the next. This is
the economic process of “creative destruction,”a theory coined by economist
Joseph Schumpeter in the 1940s. According to Schumpeter, in a capitalistic
society, creative destruction is a necessary component of technological
innovation and, in turn, economic growth. Cybersecurity breaches, and what
follows, provide additional evidence that Schumpeter’s theory is alive and
well.

At first, cybersecurity breaches might seem devastating, but they can
prevent companies from having even worse things happen later on. And though
corporations that experience cyberattacks might see a temporary dip in
their stock values and annual profits, the well managed firms will spring
back.

Target is a good example of how the process of creative destruction plays
out. Hackers took advantage of the firm’s vulnerability related to the
retail giant’s credit card system in 2013, stealing information from tens
of millions of customers. All the thieves needed was a fraction of a second
between when cards were swiped at the register and when the information
became encrypted.

And yet, as a result of the cybersecurity breach, Target’s cybersecurity
has never been stronger. Furthermore, other companies also learned from the
breach and upgraded their cybersecurity systems.

Logically, it would seem better for a breach to happen to someone else, so
you could learn and react from a safe distance. But hitting close to home
doesn’t have the same impact as an attack under your own roof. Even though
several companies shored up their cybersecurity after Target’s 2013 breach,
many didn’t do as much as Target. Among other security measures, the
retailer now uses microchip credit card readers and has new top executives,
including a chief information security officer.

This argument is not intended to suggest that organizations should wait to
be attacked before they act. It is possible to make informed calculated
investments before a breach. Nearly 15 years ago, we pioneered a framework,
commonly referred to as the Gordon-Loeb Model, to help companies figure out
how much they should be spending on cybersecurity.

The big takeaways from our model are: Don’t invest more than roughly
one-third of the amount of money you expect to lose if you have a breach.
And don’t automatically spend the most protecting your most vulnerable
data. Companies using the model should follow four steps:

1. Divide their data into segments, and assign each set a value from low to
high.

2. Estimate the probability that each set will be breached, and assign a
value from low to high vulnerability. By multiplying the value derived in
step 1 by the probability in step 2, you get the potential expected loss
from a cybersecurity breach to a particular information set.

3. Plot the data sets to identify where the potential for losses exist.
Although the process isn’t clear cut, a grid to identify data sets ranging
from low value/low vulnerability to high value/high vulnerability can be
helpful.

4. Put your cybersecurity dollars where they will be most productive. Keep
investing until the costs outweigh the losses if you were to experience a
cybersecurity breach.

Even after those informed calculated investments, if your firm does become
the next victim of the cybersecurity breach du jour, know it doesn’t have
to kill your organization. In most cases it will make the firm stronger.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!