BreachExchange mailing list archives
Business advice: You’ve just been hacked. Here’s why that can be good news.
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 12 Nov 2015 13:50:07 -0700
https://www.washingtonpost.com/news/capital-business/wp/2015/11/12/business-advice-youve-just-been-hacked-heres-why-that-can-be-good-news/ A cybersecurity breach can leave companies, as well as its customers and employees, vulnerable. Furthermore, repairing the damage from the breach can be very expensive. But a major attack can also be good news for companies with gaps in their cybersecurity defenses. Sure, it’s counterintuitive. However, the best way to improve an organization’s cybersecurity might be to have the security gaps exposed sooner rather than later. Though no system will ever be 100 percent secure, breaches spur the evolution from one stage of cybersecurity technology to the next. This is the economic process of “creative destruction,”a theory coined by economist Joseph Schumpeter in the 1940s. According to Schumpeter, in a capitalistic society, creative destruction is a necessary component of technological innovation and, in turn, economic growth. Cybersecurity breaches, and what follows, provide additional evidence that Schumpeter’s theory is alive and well. At first, cybersecurity breaches might seem devastating, but they can prevent companies from having even worse things happen later on. And though corporations that experience cyberattacks might see a temporary dip in their stock values and annual profits, the well managed firms will spring back. Target is a good example of how the process of creative destruction plays out. Hackers took advantage of the firm’s vulnerability related to the retail giant’s credit card system in 2013, stealing information from tens of millions of customers. All the thieves needed was a fraction of a second between when cards were swiped at the register and when the information became encrypted. And yet, as a result of the cybersecurity breach, Target’s cybersecurity has never been stronger. Furthermore, other companies also learned from the breach and upgraded their cybersecurity systems. Logically, it would seem better for a breach to happen to someone else, so you could learn and react from a safe distance. But hitting close to home doesn’t have the same impact as an attack under your own roof. Even though several companies shored up their cybersecurity after Target’s 2013 breach, many didn’t do as much as Target. Among other security measures, the retailer now uses microchip credit card readers and has new top executives, including a chief information security officer. This argument is not intended to suggest that organizations should wait to be attacked before they act. It is possible to make informed calculated investments before a breach. Nearly 15 years ago, we pioneered a framework, commonly referred to as the Gordon-Loeb Model, to help companies figure out how much they should be spending on cybersecurity. The big takeaways from our model are: Don’t invest more than roughly one-third of the amount of money you expect to lose if you have a breach. And don’t automatically spend the most protecting your most vulnerable data. Companies using the model should follow four steps: 1. Divide their data into segments, and assign each set a value from low to high. 2. Estimate the probability that each set will be breached, and assign a value from low to high vulnerability. By multiplying the value derived in step 1 by the probability in step 2, you get the potential expected loss from a cybersecurity breach to a particular information set. 3. Plot the data sets to identify where the potential for losses exist. Although the process isn’t clear cut, a grid to identify data sets ranging from low value/low vulnerability to high value/high vulnerability can be helpful. 4. Put your cybersecurity dollars where they will be most productive. Keep investing until the costs outweigh the losses if you were to experience a cybersecurity breach. Even after those informed calculated investments, if your firm does become the next victim of the cybersecurity breach du jour, know it doesn’t have to kill your organization. In most cases it will make the firm stronger.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Business advice: You’ve just been hacked. Here’s why that can be good news. Audrey McNeil (Nov 13)