The Real Cost of Cyber-SecurityAccording to a UK goverment-sponsored survey carried out by PwC (information-security-breaches-survey-2015), 74% of small businesses in the UK suffered some form of data breach in 2015. Nearly one third of all businesses surveyed declared that they had performed NO security risk assessment in that time. Obviously these are the headlines in broad strokes, but it's clear that some correlation exists between those things, especially factoring in the other broad statistic: that the cost of data breaches to small business was, on average, between £75,000 and £311,000.
These are fairly worrying statistics, not least because the survey had already filtered out responses from companies who felt unable to answer the questions, for whatever reason.
The cost shown above accounts for such things as material loss of business as the result of a breach, regulatory fines imposed for failing to adequately protect data, business disruption and so on. It's much harder to put a hard number on reputational damage. Customers are increasingly aware of the value of their personal data, and the importance of identity integrity. Any business who fails to protect that data risks losing the trust of those customers - and their business.
I would go a step further: businesses need to understand that they are only stewards of the data, that ultimately data about a particular customer belongs to the customer.
More succinctly, if I'm your customer, it's not your data, it's mine.
What is to be done?The security media seems focussed on the latest zero-day attacks (exploiting vulnerabilities for which no patch or fix is available), coupled with the latest high-profile breaches in industry. Serious vulnerabilities are even being given names, possibly to make them more accessible, resulting in Heartbleed, Shellshock and DROWN.
These are indeed very serious issues, and need to be addressed by anyone using the technologies involved, but I doubt they account for most or even many of the attacks reported by PwC in their report. Without naming names, there have been a number of very high-profile data breaches of late, many of which seem to have been possible due to careless security practises within the companies who were victim to attack. Poor password policies on critical systems, and vague or non-existent security procedures for dealing with things like phishing and malware, seem to have been the primary causes.
These vulnerabilities aren't new, they don't require expensive tech or cutting-edge methods to exploit, but they do exist, and they are dangerous. Not all businesses are at risk from state-sponsored attack, or zero-day exploits, because they are generally expensive to implement. They are certainly expensive to protect against.
Most businesses, on the other hand, are vulnerable to simple automated attacks such as port-scanning, password brute-forcing and 3rd party software version/patch vulnerabilities. These things, by contrast, are relatively easy to identify, and much less expensive to protect against.
Here it comes: the sellIf you got this far, then perhaps you'll forgive me this plug. PerfectCobalt is an Information Security company which specialises in providing an affordable, straightforward service to businesses of all sizes, but particularly small businesses who perhaps are unable to justify spending huge amounts of money on cyber-security. If those businesses instead do nothing, it puts their data, and their customers' data, at risk.
We focus on identifying and advising on common vulnerabilities such as those mentioned above, because they present the largest attack surface, and present the greatest risk.
If you would like to find out more about PerfectCobalt's services, see our website. You can follow our updates on the Twitters as well @PerfectCobalt.