How much is enough when it comes to cyber security?
You know the importance of protecting both your valuable data and your customers’ information. It can seem like a never-ending battle – the more security layers you add, the more secure your systems are...but when does too much become counter-productive? According to many "experts" there is no such thing as enough security. In a world where you can spend an unlimited amount on software and services at what point do additional safety measures become an unnecessary drain on resources or get in the way of customer experience?
Adequate security is largely about managing risk. This should take into account your organization's risk tolerance, budget and ability to implement security controls.
What questions should you ask so you can make an informed decision about how best to protect your company and its stakeholders? Understanding both what you are trying to defend and who you are trying to defend it from is key to a well-balanced cybersecurity strategy.
Why would someone attack your company?
According to Brett Johnson, formerly a member of the FBI's Most Wanted list, there are three primary motivations for cybercrime.
Money is by far the most common motivation. Most small businesses aren't a target for ideologues. There's little status to be gained by attacking a local construction company or accounting firm.
The good news about criminals coming after your money is that it's easier to get them to go somewhere else. Much like the old joke about the camper who takes the time to put on shoes when the bear shows up... you don't have to outrun the bear, you only have to out-secure other companies. Hackers will always choose the easier target. It's a matter of economics. The same ransom with half the work is just good business.
What is the risk?
Since most cyber attacks are motivated by money, the obvious risks are direct theft of cash (ACH fraud, check fraud, etc) or extortion. Extortion can take the form of ransomware interrupting a business or disclosure of confidential company information.
The risk may be purely financial and determined by hours of downtime. The risk may be reputational depending on your industry and required reporting laws. Google will tell you 60% of businesses don't recover from a cyber attack.
Understanding your risk will help you understand how to reduce or mitigate the risks. Perhaps you could purge data about former clients so a breach would impact less people? Perhaps a policy would stop someone in accounting from changing the account number where funds are sent? Perhaps spare hardware or backups would reduce downtime?
What is the value we must protect?
Productivity, trust, confidentiality, reputation?
For some companies, the biggest threat is an interruption to operations. A manufacturing company doesn't hold a lot of confidential data about its customers but a shutdown in the production line for even a short time can be very expensive. Operational risk is typically less expensive to protect. For medical practices, their reputation and the confidence placed in them by patients have more long-term value. For a busy accounting practice during tax season, confidentiality is key and lost hours are difficult to recover.
What assets must be protected to preserve that value?
Line of business applications and servers can be protected with backups and redundant hardware. The reputation and trust of your clients require more effort. Wiping hardware and restoring data is much simpler than informing your customers and clients that their personal information has been made public.
What is the value we must protect?
They think you're a target and have a relatively high likelihood of becoming a victim.
Most insurance companies are asking a lot more questions on applications. That's obvious. It's possible to gain some insight by looking at premiums, loss limits and loss ratios. If an insurance company targets a 15% loss rate and limits occurrences to $100,000 (check your policy!), they need to collect close to $700,000 in premiums for each claim. Cyber Insurance policies are selling for between $5,000 and $15,000 a year. Depending on what you pay for cyber insurance you can calculate how likely the carrier thinks it is you will have a claim. Somewhere between 1 in 44 to 1 in 133.