How Much Would You Pay to Prevent a Breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://recode.net/2016/02/09/how-much-would-you-pay-to-prevent-a-breach/

In a country divided by the upcoming election, President Obama garnered
bipartisan support for a significant budget increase this week: $5 billion
in additional cyber security spending. The one-third increase — to $19
billion in 2017 — marks an initiative from our country’s highest office to
crack down on cyber threats — which are, in Obama’s words, “among the most
urgent dangers to America’s economic and national security.” A similar
attitude prevails on the global stage: The World Economic Forum named cyber
attacks one of the greatest threats to business, above terrorist attacks
and interstate conflict.

The escalated attention to cyber defense couldn’t come sooner, as
government organizations and businesses struggle to prevent some of the
most dangerous types of attacks.

Imagine thieves stealing your company’s computers, demanding money for
their return and putting them through a trash compactor if you decline.
This nightmare is frighteningly close to the reality of cyber ransom.
Victims rarely have any alternative besides giving in to hackers’ demands.
Unfortunately, cyber ransom is one of the more prevalent and lucrative
forms of criminal hacking to threaten companies today.

In the increasingly monetized world of hacking, no target is safe from
criminals holding important files hostage for ransom. One variation of this
service, “ransomware,” functions as a malware that encrypts files on a
computer, preventing the owner from accessing them to extort payment.
Security professionals have not cracked the code on preventing ransomware
attacks: Experts detected four million samples in the second half of 2015,
up from 1.5 million two years ago.

The size and scale of the attacks reflect a new audacity on the part of
perpetrators. In the past year, hackers have carried out ransom attacks on
a British telecom provider, Greek banks, and a United Arab Emirates bank.
In this last case, the bank refused to negotiate, and the hacker publicly
posted the sensitive information of nearly one million customers in
response. In the 21st century, hackers are the bank robbers and data is the
hostage.

To negotiate with hackers?

Contrary to the philosophy of not negotiating with terrorists for fear of
incentivizing future incidents, the FBI has actually recommended that
victims pay ransoms in certain scenarios. While critics claim this strategy
only validates the method as a financially viable solution for hackers,
victims and law enforcement alike are essentially helpless. The economic
argument for dissuading future ransoms doesn’t compel companies faced with
losing access to critical information.

What do the security professionals on the front lines think? The grim
stories of past victims certainly inform the reactions of security
professionals when asked whether they would pay a ransom. Realizing that
their organization’s reputation would be on the line, 24.6 percent of IT
departments reported that they would pay a ransom to prevent a data breach.
We’re not talking about trivial sums, either: 14 percent would pay more
than one million dollars. This amount isn’t surprising when you consider
the enormous financial damage a company suffers in the wake of a breach.
Costs soar beyond tangible expenses from damage to a brand’s reputation.
The average cost of a breach rose to $3.8 million in 2015, not to mention
potentially the jobs of the security staff involved.

Rising price tags drive accountability for breaches

Are we at such a desperate state of cyber security where we’re just waiting
to pay ransom for the next breach? Consumers have grown weary — 63 percent
expect their data to be compromised in the next 12 months. It’s difficult
not to ask the question, “Is something wrong with the way we protect
information?”

While consensus places responsibility for cyber security with the CEO and
board of directors, there is a huge gap between words and action. A global
study of 109 banks found that only 6 percent of board members have
technology experience, and 40 percent of the banks do not have any board
members with a technical background. Lack of oversight at the top is a
recipe for disaster, resulting in failure to properly enforce corporate
governance. Companies may put off upgrading cyber defenses because of the
cost, only to find that they underestimated the financial impact of a data
breach.

Cyber security is embedded in a web of financial incentives, but the
increasing costs of failure, i.e., suffering a data breach, indicate that
companies will be held increasingly accountable for protecting data. For
example, whether or not a company has cyber insurance in place factors into
the decision to pay ransom. Companies with cyber insurance are more willing
to pay up. Cyber insurance costs are rising, however, with certain
companies even evaluated as uninsurable. In the same trend, the European
Union introduced new regulations on protecting customer data — with more
teeth than ever before. The maximum fine increased to €100 million or 5
percent of global revenue, whichever is higher. Combined with the increased
average cost of a breach, it looks like it’s more expensive to be hacked
than ever before.

Outgunned and outmatched?

Simply throwing more money at security does not appear to be the solution,
however, as last year marked an increase in security budgets and breaches.
Criminal hacking has transformed from solo hackers into a true industry
with organized syndicates. These groups have the advantage of innovative,
state-of-the-art tools. Are companies doomed to fall behind hackers in a
cyber arms race?

An entire collaborative ecosystem has developed to support the hacking
economy. There are sleek applications to automate stolen credit card
credentials, and researchers even uncovered a ransomware-as-a-service
(RaaS?) offering. Hackers regularly leverage free consumer cloud services
in attacks against companies with security budgets in the millions of
dollars.

A paradigm shift favoring the good guys may lie in a parallel climate of
innovation on the enterprise side: The consumerization of IT. The federal
Office of Personnel Management, after suffering a blockbuster data breach,
bemoaned the weak security capabilities of the outdated technology in
place. Cloud services are disrupting legacy tech vendors, and not just
because the applications are easier to use for employees. A majority of
companies — 64.9 percent — now consider cloud services as equally or more
secure than traditional legacy software. Many cloud service providers are
innovative, venture-backed startups employing some of the best talent in
the world. Security is their bread and butter, since their entire business
model depends on not getting hacked. Leveraging the latest and greatest
cloud applications gives companies the firepower to keep up with hackers.

An industry analogy compares cyber security to running away from a bear in
the forest: You don’t need to be faster than the bear; you just can’t be
the slowest person running away. The use of emerging technologies for IT
and security is now a competitive differentiator. To bring light to the end
of the cyber security tunnel, companies need to open the door to new
technologies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.