The summer of 2017 is shaping up to be the season of ransomware. High-profile and wide-ranging attacks are grabbing attention but leaving many businesses numb without clear direction on the costs of a data breach and how they can move toward better protection.
In a recent webinar
, guest Aberdeen analyst Derek Brink reviewed quantitative analysis that helps senior leaders approach risk management in an informed way and calibrate their cyber security investments appropriately. But unless a company has suffered seriously as a result of an attack, it can be tricky to understand the true size and scope of the problem.
Let's begin with some crucial definitions. An incident is any attempt to compromise the confidentiality, integrity, or availability of an asset. A breach is any incident that is successful. Finally, risk is the combination of the likelihood of an incident and the consequences of a breach.
In our webinar, Brink highlighted a comprehensive study
by Verizon that analyzed cyber attacks in 2017. Their data cataloged 10,000 separate incidents between January and May. Of those incidents, 61 percent resulted in a confirmed breach and illustrate the level of risk that companies are exposed to. At this point, any company that is not taking serious steps to manage this risk is flirting with disaster.
The Myth of the Small Fish
The Verizon study went on to analyze the likelihood of a breach based on the size of the company. And for companies with 1,000 employees or fewer, the likelihood was calculated at 72 percent. Conversely, the likelihood for the largest companies was 47 percent.
That may seem counter-intuitive at first, but you simply need to think like a hacker to understand why the smallest companies would make the most appealing targets. These companies have fewer staff, fewer cyber security resources, and fewer dollars to invest. Basically, they are easy targets.
The first half of the risk equation (likelihood) is much higher. Unfortunately, the second half (impact) is as well. When a small company is hit by a cyber attack, the consequences tend to be as broad and deep as possible. And it’s not uncommon for those consequences to be existential.
In addition to having fewer means to prevent an attack, small companies have fewer means to mitigate an attack. If and when a breach happens, the impact on revenue, reputation, and resolve is devastating.
Making the Most of Limited Resources
The dilemma for small companies is that even if they appropriately understand the risk of a cyber attack, they have limited means to invest in prevention and protection. That requires decision makers to understand where threats are coming from, what kind of vulnerabilities they are targeting and which threat vectors demand priority.
Email phishing and malware attacks are among the leading vectors. A modest investment in training and user education can do a lot to keep incidents from turning into breaches. But it will never stop 100 percent of the issues; Modern attacks are so sophisticated that even a trained eye often fails to spot the red flags.
Prevention is important, but it must be combined with detection and response strategies as well. That takes more than training, but investing in the necessary resources is a mission-critical expense for even the smallest companies.
If you're still struggling to make the business case for opening up the purse strings, just take a quick look at the recent past. By all indications the summer of 2017 will quickly be overshadowed by the breaches being planned and implemented right now.
For a deeper dive into this topic, watch the archived webinar Life’s a Breach: Risks of an Email Attack