Betting on Black (Hats)

By: Tyler Jack

What is risky to you? Quitting a job to chase your dream career? Going skydiving? Spending a day without your cell phone?

Depending on who you ask, you might have varying answers. What some might find risky, others are more than willing to take chances on. Individuals value certain things differently and it can be hard to determine what is universally risky.

The same can be said about companies. You can not easily determine what is risky for all businesses, therefore there is no one solution to protect businesses from threats.

However, there is good news. When it comes to assessing your business, it is not difficult to determine what type of safeguards you should implement. By asking a few questions you can begin to determine what that company values:

What is critical to your businesses operation?

What can you not afford to have happen?

What are your most important assets?

Once you answer theses questions and valuate your critical assets and determine what is most important to your business, you can then plan on how to best protect them against cyber attacks. Simple right?

Unfortunately, companies continue to ignore the many warning signs. Hackers have been exploiting vulnerabilities within businesses for decades, and yet many companies continue to roll the dice when it comes to their security.

“It won’t happen to me.”

“I will worry about it when it happens.”

“Paying for security is not a priority of ours.”

Even if your business has not been a target yet, there is a high percentage that you, or someone you know has been a victim of an attack. Whether it was an email account, social media profile, or a credit card number, individuals continue to brush off what seem to be minor inconveniences.

“When it comes to experiencing a data breach, the odds are as high as 1 in 4.”

- Ponemon Institute 2017 Cost of a Data Breach Study

“A majority of Americans (64%) have personally experienced a major data breach.”

- Pew Research Center

The same goes for businesses, even with the countless stories and articles in the news, companies continue to bet against the hacker. It raises a real question that needs to be answered. Why do so many people continue to take chances against the black hats?

Breach Fatigue

One could argue that people are so used to these breaches that it has caused them to be apathetic. An increasing amount of people have become numb to the news, and feel like there is nothing they can do. A very misleading phrase that is overused is “It’s not if you will be hacked, but when.” Although your chances of being a target continue to increase, that doesn’t necessarily mean you can not reduce your overall risk.

Lack of Understanding

Another common reason people might continue to take a risk is due to a poor understanding of their current safeguards. For those that believe a firewall and anti virus are enough, you are an attackers best friend. If you don’t understand how the hackers work and what solutions are best for your business, you are taking a giant risk.

Associated Costs

The more obvious answer would be the cost. Management is in charge of allocating a budget to different areas of a company to insure its growth. If you have not been a target in the past, it can be hard to justify spending money on cyber security practices. Maybe you believe that even if you were to get hacked, it would be less of a financial burden to deal with. If that is the case, I challenge those companies to look a little deeper into the actual monetary cost of a breach.

What are hackers after? Depending on your company, it could be PII, PHI, intellectual property, physical assets, and even banking information.

Although hackers may gain access to your information and assets, other costs can sometimes be overlooked. Downtime, negative PR, loss in revenue, loss in customer confidence, and potentially even forcing your business to close.

“The average consolidated total cost of a data breach is $3.62 million. In the U.S., the cost of a data breach was $7.35 million.”

- Ponemon Institute 2017 Cost of a Data Breach Study

“Close to half of all data breaches (47%) were caused by malicious or criminal attacks, resulting in an average of $156 per record to resolve.”

- Ponemon Institute 2017 Cost of a Data Breach Study

It is important to find out the balance between the cost and benefits. Determine the value of what you need to protect and take a thorough look at the risks and vulnerabilities, and it will help you determine how much to spend.

So how much security is enough? Just enough. It is important to run a cost vs. benefits analysis to determine what amount of money your business should spend. You do not want to overspend or under spend.

A few methodologies that can be used to determine this are:

• COBIT 5
• NIST SP 800-30

Once you know your asset value, you need to then find out what your probabilities are and the impact of certain events. This will help you determine what preventative measures to implement for the best return on your investment. It’s a lot like insurance, the costs of protecting your company are far less than the financial burden that a breach could have.

There are a variety of ways to help safeguard your business from potential threats:

• Vulnerability Assessments
• Penetration Test
• Tabletop Excersises / Threat Simulation
• Code Audits
• Use a VPN everywhere
• Educate Your Users
• Set Up Policies, Procedures, and Guidelines
• Have an Incident Response Plan
• Have functional backups, tested frequently
• Use Encryption for sensitive data
• Strong Password Policies
• Evaluate the security practices of your vendors 

There is no magic solution that works for every company. That is why it is important to take a deep look at what your company values and study the impact a potential breach would cost your company. Until businesses truly understand what is at stake, they will continue to ignore the odds and gamble their businesses.