In the months following the September 11th terrorist attacks, office buildings across America significantly stepped up security resources, policies, and procedures. Guards were placed at every entrance, metal detectors were put in place, and everyone was stopped, checked, and ID’d before entering the building. It didn’t matter if you were in New York or Omaha; the experience was the same everywhere.
Over the past 10 years these extreme security measures slowly started to disappear due to cost, inconvenience and the perception that the threat had dissipated. Today, property managers guard the vast majority of buildings with the least security needed to deter crime while at the same time make us feel as if we are protected. But it is only the perception of a secure environment.
Unfortunately, many organizations follow this same pattern with regard to data security. After a data breach or security incident, businesses often go on a spending spree to implement the latest and greatest security tools, but start letting policies, procedures, and expertise loosen as time passes. Soon, businesses put their guard down and data security programs get lower and lower on the budget priority list, until the next breach occurs. Tier 1 Research recently coined the term “Security Poverty Line” to describe the separation between security haves and have nots, declaring , “the vast majority of organizations…don't have enough IT or security resources to put even the minimum controls in place”.
This behavior creates a self-destructive downward spiral. Instead of being honest and forthcoming about the harmful effects of a breach, organizations typically downplay the impact of the attack. As a result, peer companies that don’t know better come to believe that a breach would be a mere nuisance and is an acceptable risk.
Worst of all, this cycle diminishes the sense that adequate funds must be devoted to preventing attacks.
The result? Organizations that lack adequate security funding – especially small and medium-sized businesses (SMBs) – are being targeted by hackers because they are easy prey. As reported in the Verizon 2011 Data Breach Investigations Report, “we saw a virtual explosion of breaches involving smaller organizations”. The report found that more than 57% (436) of its cases were in organizations with 10 to 100 employees.
Therefore, while high-profile breaches targeting large organizations such as Epsilon, Honda, Michael’s, Sony, TJX, and the States of Massachusetts or Texas get the attention, hackers are quietly picking the pockets of hundreds if not thousands of smaller companies. Not only don’t these attacks get reported, the hackers often enter and leave without ever being detected.
So how can IT personnel present a compelling business justification for adequately investing in preventive security measures? Below, I offer some ammunition to share with the corner office.
We Are Under-Valuing Our Data
Years ago, computing pioneer Rear Admiral Grace Hopper said: “Someday, on the corporate balance sheet, there will be an entry which reads, ‘Information’; for in most cases, the information is more valuable than the hardware which processes it.” In the 25 years since that prediction was made, companies continue to regard data management and protection as a costly nuisance rather than a valuable asset.
In the information economy, an organization’s information is its most valuable asset. Once your data has been compromised, those bits and bytes go from being a prized and proprietary asset to being a commodity – bought and sold like pork belly futures. Once you have lost control of that asset, it quickly becomes worthless. Without acknowledging the value of data, it would be difficult to determine what an adequate budget to protect that information should be.
When Joni Mitchell sang, “You don’t know what you’ve got ‘til it’s gone”, she wasn’t referring to secure data, but she might as well have been.
We Are Underestimating Potential Brand Damage
Companies tend to underestimate the value of their brand and the profound impact a breach can have. What is the value of your reputation? What is the value of your brand? Those questions often are met with blank stares.
Business managers must consider brand equity for the same reason that they need to have a firm grip on the underlying value of its tangible assets. Visibility into the value of all assets and liabilities under their stewardship enables management to make sure that values are protected and maintained.
According to a report by CyberFactors, the Epsilon breach is expected to cost the company as much as $225 million and the 75 companies affected by the breach an additional $412 million. The impact on Epsilon’s reputation is hard to imagine, let alone calculate. Companies spend so much protecting their assets in other ways, with legal representation and lobbyists on Capitol Hill, but they fail to invest in data security because they have difficulty assessing the value of all that can be lost in a breach.
We Are Setting the Bar too Low
On the plus side, compliance requirements are sure to get the attention of decision makers. However, standards and regulations such as PCI-DSS may do more harm than good in the long run because they set a low bar and provide a false sense that data is being protected. This isn’t completely the fault of the PCI Council; they have the impossible task of setting security standards that cross multiple industries. Security is not a one-size-fits-all product.
Although compliance requirements certainly establish minimum baseline practices for security, anyone who believes these one-dimensional standards will keep hackers at bay will come to regret this assertion.
In conclusion, IT and security leaders can take advantage of the recent rash of high-profile breaches to get their organizations to break the cycle. For most companies, affordability is the primary obstacle to implementing the necessary security infrastructure, gaining access to 24/7 security monitoring and expertise, and ensuring it keeps pace with emerging and evolving threats.
The first step is getting the C-suite to consider the true value of their intangible assets so they can understand what they are risking.
Johnathan Norman is the director of security research with Alert Logic, which provides cloud-powered, managed solutions for security and compliance. He is responsible for leading the vulnerability research, systems automation and systems content teams, and has the unenviable task of keeping products current with new threats and facilitating Alert Logic’s Security Operations Center with new attack detection. You can follow Norman on Twitter @spoofyroot.