By Paolo Del Nibletto
“You don’t know what you don’t know.” It sounds trite, but it’s true. You probably don’t realize that a dormant crypto-locker malware file is sitting quietly, undetected, on a computer or server. All it needs is the right moment or the right command. Like Clint Eastwood’s Dirty Harry character said in the movie Magnum Force: “A man has got to know his limitations.” Organizations – no matter the size – need to determine their limitations from a security standpoint.
Organizations that have not checked their overall cybersecurity posture are effectively asking for trouble. Broader vulnerability assessments and more targeted penetration tests are effective starting points from which to shore up cyber defences. Besides ransomware, which hit new heights during the COVID-19 pandemic, a major problem facing organizations is data breaches. Data breaches often lead to irrecoverable financial losses, reputation hits, business losses, talent losses, and general stress and embarrassment. There are many more reasons, but this list focuses on six reasons an organization should assess its security (in no particular order).
1. Identifying Risk Within the Organization
This should be a common practice for your IT team. It easy to be lulled into a false sense of security just because nothing bad has happened yet. It is foolish at best, and negligent at worst to take immunity from cyber threats for granted. Conducting yearly or semi-annual security risk assessments either internally or through a trusted partner will provide an extra layer of security insights, which can be used to protect against data breaches. Many of the threats affecting small and medium businesses aren’t even targeted. Like Covid-19, attacks move from one person or organization to another. No organization is immune to a talented hacker who is determined to infiltrate your systems for fun or profit, hackers look for security gaps, and you should do the same. By understanding and knowing what gaps you have, you can make most of the necessary fixes and take the low hanging fruit out of harm’s way.
To put it simply, there are two methods to assess security risk. The first is called a Penetration Test – more commonly known as a Pen Test. Pen Tests are an active attempt to hack or access networks, websites, applications, conducted by an ethical hacker – one of the good guys. It is a real cyber-attack that targets a specific area, or it can be broad and open ended. From this test, IT managers or chief security officers will get a detailed look at how well the security systems, networks and applications in place are performing along with identifying vulnerabilities within the system. It also informs the organization of their strengths and whether they are adhering to current compliance and security policies, which is also quite valuable.
The second method is called a vulnerability scan, and these tests are meant to be fast, passive, high, and wide across the organization. This approach compares a current state to accepted minimum standards, leading to a grade of how good your security is. These assessments take into account the currency and completeness of patching, availability of easily exploitable ports, scanning for known malicious applications, and susceptibility to common attack methods like SQL injections.
2. Avoid Security Breaches
Data breaches are expensive. According to the annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, the average total cost of a data breach is just under $4 million US. For an SMB business, this would sound the death-knell. For mid to large enterprises, it can lead to a severe disruption in business that could have lasting effects. But depending on the type of organization, it could be worse. Ponemon found that for healthcare providers, a data breach averages $6.45 million. The average data record size for data breaches is an outstanding 25,575 records per incident, which would lead to a massive hit on any organization’s reputation and brand.
By conducting a security risk assessment and following through with the recommendations, you can better protect data and avoid the costs associated with a hack. A security assessment will focus on malware analysis, reverse engineering, cryptography, exploit development, offensive and defensive security. A well-crafted assessment will lead to a report laying out clear, actionable insights coupled with effective remediation steps to help organizations lower risk and identify areas requiring improvement.
3. Protecting Your Reputation
According to the Harvard Business Review, an extra star in a restaurant’s Yelp rating increases business between five and nine percent. On the flip side, negative reviews keep customers away in droves. A hit to an organization’s reputation because of a data breach or hack will have a similar, lasting impact, especially if it becomes public. In most cases, companies have to legally announce the breach based on PIPEDA and GDPR laws and regulations. Many organizations aren’t aware that they are subject to laws based on where their customers reside, not just where their corporation is physically or legally registered. The bottom line is that customers will avoid you, or worse, leave you.
Rebuilding a tarnished brand is expensive. By foregoing annual security risk assessments, organizations are gambling with their own future, and more broadly, risking their stakeholders – staff, suppliers, business partners, and company shareholders. It isn’t unheard of for direct and indirect victims to take legal action seeking compensation for their own damages. The fallout continues to staff and the ability to find and retain talent – nobody wants to work for an organization that shows itself to be somewhere between incompetent and ignorant. Share prices have been known to take a hit, which only serves to prolong and aggravate the pain of the original hack. One security breach can put an organization into permanent “Damage Control” that can take years to overcome.
4. Maintaining IT Budgets
Any good CFO should easily conclude that the cost associated with Pen Tests or Vulnerability Scans are a drop in the bucket compared to the wide-ranging losses stemming from a data breach. For example, Canadian businesses are now mandated to reveal if they have succumbed to a data breach if determined that the data under the control of the organization has the potential to fall into the wrong hands. A failure to report these breaches, even seemingly innocent violations, can lead to fines of up to $100,000 under the Personal Information Protection and Electronic Documents Act (PIPEDA). The majority of organizations do not budget for PIPEDA fines and the such. Potential lawsuits are also a factor and recovering data also eats into the budget. While some might be tempted to think that cyber security insurance will pick up the tab, think again. Merck & Co found out the hard way when their insurance company turned down their claim for $1.5 billion. By scheduling a security assessment, you can build that into your budget and avoid surprises. Your organization’s budget and cash flow are more at risk if you don’t invest in proactive systems and programs like; security monitoring, security identification and event management system (SIEM), or Layer 7 firewalls, and often most overlooked, user education.
5. Avoid Violating Privacy and Data Laws
As in the previous reason, six-figure fines can be avoided by an annual security risk assessment. The PIPEDA fine is a six-figure sum, and penalties from other compliance/privacy acts are not cheaper. Violators of the GDPR (General Data Protection Regulation for the European Union) can risk fines of up to 20 Million Euros. Then there’s SOX (Sarbanes-Oxley Act), HIPAA (the US Health Insurance Portability and Accountability Act), and there are even state-run laws such as CCPA (California Consumer Privacy Act). Then, there is the LGPD, a new act that comes into effect next month from Brazil. LGPD stands for Lei Geral de Protecao de Dados Pessoais) or Brazil’s General Data Protection Law. LGPD, like the EU’s GDP protects Brazilians’ data, no matter where that data is stored. Think about a Brazilian tourist shopping at a store using a credit card, then the store being hacked leading to credit card fraud against the tourist. In theory, the store is liable for those damages. The efficacy and implementation of these laws remain to be seen, but there are other punitive measures countries can take against offenders such as blocking their websites at a country level.
6. Increase Productivity Levels
Finally, if your organization is infected with a virus or hit with ransomware your employees’ overall performance and productivity will suffer. Take a minute to think about how effective your business is during a power or internet outage. Now multiply that by the number of days and add some indirect costs and future losses for good measure. By doing a security assessment and implementing up-to-date security protocols, you ensure productivity levels, while reducing risks. According to a Ponemon, the most significant impact of an attack may be in end-user productivity losses because the IT systems are not functioning. As organizations embrace digital transformation and cloud-based systems along with the rise of the remote worker because of the COVID-19 pandemic, this risk only increases. SaaS models mean businesses are now subject to multiple sources of failure in their operations and activities. Imagine if a cloud hosted accounting suite were taken offline by hackers – no invoices, no cash tracking and much more.
Jolera has a variety of assessment options available to help identify possible weaknesses and exploits and determine possible real-life outcomes of a successful attack. If you’re interested in learning more contact us for more information.