Let the Hackers In – It’s Cheaper
I recently came upon a story in the UK Register, which gave me pause to think.
It asserted that the most appropriate and cost effective approach to data security is to let the hackers into your network, pilfer your data and then deal with the consequences later. The story referenced a study by the RAND corporation published in the Oxford University Journal of Cybersecurity.
The RAND study examined data on 12,000 cyber events. They analyzed the characteristics of these events and compared them to organizational financial measures such as cost of bad debts and cost of fraud. The analysis showed that the number of cyber events and associated legal actions were increasing. However, their findings indicated only a modest financial impact to organizations suffering a breach. From this, they suggested that concerns about data breaches may be overblown and unwarranted.
The RAND study was based solely on publicly available data sources. This approach is markedly different than the way that the Ponemon Institute has been studying and providing analysis on data breaches for many years. Ponemon uses in-depth qualitative interviews and places the average cost of a breach (across all industries) at $158 per record. Interestingly, another organization, CSIdentity ("CSID") has placed the cost of a data breach at $217 per record. Thus, both Ponemon and CSID suggest significant financial impact to organizations suffering a breach. In addition, the RAND methodology may not pick up losses from the theft of Intellectual Property, which is not required to be reported to regulators and often not available from public data sources.
The Register drew a comparison to the decision by Ford in 1973 where they decided against initiating a recall of the Ford Pinto which had a tendency to burst into flames. Ford estimated that it would cost them less to pay out the damages than to perform the recall. When their plan was uncovered, the Pinto Pitfall resulted in massive financial losses and significant brand damage. The Register may have used a bit of journalistic licensing with the analogy. The RAND study essentially made the case for organizations to use limited resources as wisely as possible.
Organizations are constantly fighting a battle to determine how best to allocate limited resources to secure data. Using Risk Based and 80-20 approaches will generally result in effective and efficient processes to secure data. The Ponemon Institute looks at Mean Time to Identify ("MTTI") as a metric to assess an organization's effectiveness. Effective identification starts with having an inventory of where sensitive data is located. This means all copies of data including those being used for software development and analytics. In most organizations there are five to ten times the amounts of data in these environments than exist in the primary production environment. Taking an efficient approach to securing data in these environments will also enable organizations to concentrate perimeter defenses around operational production environments and avoid Pinto Pitfalls.