Cybersecurity: How Much is Enough?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-how-much-is-enough-21574/

The year 2015 may go down in history as the year of the hacker. Though not
a new phenomenon, high profile hack-related stories have managed to capture
headlines almost every month of 2015. On the eve of the New Year, the world
was abuzz with news that hackers had committed an unprecedented attack on
Sony Corporation that culminated in the publication of thousands of
sensitive e-mails. Shortly thereafter, hackers compromised the personal
information of nearly 100 million Anthem customers and employees. The
United States government also came under attack when hackers managed to
steal information from both the IRS and the Office of Personnel Management.
And, most notoriously, the dating website Ashley Madison suffered a data
breach that resulted in the disclosure of roughly 30 gigabytes of data
containing sensitive information about its customers and business
operations. These stories represent only the tip of the iceberg, and more
than three months still remain in the year.

In light of the broad spectrum of industries affected by these attacks, no
company should feel immune from cybersecurity threats. But recognizing the
threat is easy. Formulating a response is more complicated.

As with any other initiative, a business’s information security program
must be cost-effective. A cost-effective program, however, does not
necessarily result in an effective program.

At least two factors appear to constrain cybersecurity initiatives. First,
businesses and the hackers interested in attacking them share an asymmetric
relationship that sharply favors the hackers. As one report from the Wall
Street Journal explained, “It is a lot cheaper to hack than defend a
hack.”Businesses are relatively large, sitting targets with numerous
exploitable vulnerabilities. And hackers are elusive enemies that can
explore and exploit those vulnerabilities before a business even knows they
exist. Hackers therefore possess a strategic advantage. The WSJ article
describes the limitations companies face under these circumstances: “For $1
million, [a hacker] could assemble a team that could hack into nearly any
target. But $1 million wouldn’t be nearly enough for a company to defend
itself.” The takeaway—100% impenetrable security is impossible, and blind
pursuit of it would be cost prohibitive.

Second, the recent experiences of companies affected by data breaches do
not suggest that the cost of such a breach necessarily warrants massive
additional investment in data protection. As CBS’s Moneywatch reports, the
point-of-sale breach that hit one major big-box retailer in 2014 cost the
company $105 million after insurance coverage and tax deductions. This
retailer’s total revenue in 2014 was $72.61 billion. Thus, the direct
losses from the data breach equaled roughly 0.1 percent of its revenue. The
article also suggests that it took Sony a little less than six months to
repair its reputation following the 2014 hack. Even Ashley Madison, a
company almost entirely dependent upon privacy and discretion, recently
announced that its business has continued to grow in spite of the massive
and embarrassing breach that occurred just over two months ago.

And there’s one more thing to consider – although many high profile data
breach lawsuits have ended in settlements, in which the defendants have
obviously chosen just to try to stop the madness rather than continue to
litigate on multiple fronts, to date there has not been a single
adjudicated case finding a company liable to consumers for a data breach –
not one single verdict – despite 10 years of litigation. In fact, as we
have previously pointed out, despite all the consumer class action lawsuits
that have been filed, not one such has resulted in a class that has been
certified. These cases are marked by intense motion practice at the early
stages and, in more rare circumstances, interlocutory appeals. But, thus
far, none of them have resulted in big dollars awarded by a jury.

These observations require businesses to conduct a balancing act that
raises the question: how much data security is enough? Insufficient
security may expose the company to reputational risk and possibly liability
in the event of an attack. But too much investment in security will almost
certainly result in waste, as no data security system can ever promise
complete protection.

There is no one-size-fits-all answer. Every business should resolve the
issue based on an assessment of its own unique circumstances and risk,
including a reliable and thorough methodology for assessing its current
data security. What kind of data is the organization collecting? What’s the
potential exposure if it’s the “test case” for the next theory of
liability? What type of insurance coverage is available, and how much does
it cost? What’s the reputational risk? What’s available to spend on data
security from a budget perspective? How quickly can upgrades to security be
implemented? Companies that rely heavily on privacy will obviously invest
more in data security than those that don’t. A large public company may opt
for a more economical approach that appeases shareholders than a smaller
entity that is less equipped to withstand a major blow to its reputation.
Certainly, every company, regardless of size, should shift as much risk to
insurance as possible and prepare in advance to respond to the inevitable
data breach so that it can mitigate and live through the consequences of an
incident when (not if) it occurs.

At least for now, the decision may have as much to do with optics as it
does reality. Because, in reality, every company is susceptible to an
attack, and determined, persistent hackers are very hard to stop
indefinitely. There is a cost-benefit analysis that must be done when it
comes to data security and managing risk. It’s a fact of life, and it’s no
different from the cost-benefit analysis that companies – large and small,
public and private – engage in everyday, in every other aspect of business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!