Businesses Lose Up To Half a Million Due to a Security Breach
By Michael Canavan, Vice President of Enterprise Engineering at Kaspersky Lab North America
The recent Verizon Data Breach Investigations Report indicates that in 60 percent of data breach cases, attackers were able to compromise an organization within minutes. Combine that with the fact that 90 percent of organizations have experienced a cyberattack, and it’s clear that businesses must step up their game when it comes to security. While most can agree that not having proper cybersecurity will negatively impact a company’s bottom line at some point, too many businesses are not doing enough to adequately protect themselves and their customers against cyberattacks. Quite frankly, they’re paying dearly for it.
“Many businesses are not doing enough to adequately protect themselves and their customers against cyberattacks”
Kaspersky Lab research found that the average budget required to recover from a security breach is $551,000 for enterprises and $38,000 for small and mid-sized businesses, which includes professional services, such as IT, risk management, lawyers, lost business opportunities, and downtime. In addition to the typical costs that businesses must deal with as a result of a cyberattack, they will also need to address staffing, training, and IT infrastructure upgrades to prevent future incidents from occurring. Those costs could be up to $69,000 for an enterprise and up to $8,000 for a small business. Organizations are putting themselves at risk to lose a great deal of money considering that cyberattacks are on the rise, and this means the total cost to our economy and ultimately, to consumers and businesses alike, is skyrocketing.
This is not a short-term problem either; we only need to look back to 2014, a year the Ponemon Institute refers to as the “year of the mega breach” to see more evidence. Incidents in 2014 included the Target breach, during which 40 million credit and debit cards and 70 million records were stolen, including data such as customers’ name, address, email address, and phone number. In the case of other major breaches such as Home Depot resulted in 56 million unique payment cards being compromised and in the eBay attacks, 145 million people were affected.
Regardless of what the headlines say and how much money businesses are at risk to lose in the case of a cyberattack, not everyone is taking heed. In fact, only 50 percent of IT professionals list prevention of security breaches as one of their three major IT concerns, and if news about security breaches become perceived as routine, there is a risk that companies will become desensitized and take it less seriously (relative to other priorities). Fortunately, there are many technologies that companies can implement to help secure their data and mitigate the risk of a cyberattack.
First and foremost, a fundamental layer of protection is endpoint security technology. For many people, anti-virus and endpoint security are synonymous, but in reality, the former is now a subset of the latter. Many of today’s endpoint security technologies include many components that are now critical to stopping breaches, including anti-malware, firewall, application control, web control, encryption, vulnerability management and patching, network admissions control, behavioral analysis, and device control, just to name a few. What is surprising is how many companies are yet to implement these forms of protection, especially when they are now included in their endpoint security purchases. In addition to endpoint security, companies should ensure that they have other security layers on their networks, in their data centers, in their cloud deployments, on their mobile devices and in their operations systems infrastructure. If these technologies are implemented in concert with each other in a balanced way, effective protection is possible.
There’s no need to panic, but there’s a need to act. Businesses must apply more focused efforts on using a risk-based, comprehensive approach to their security strategy, and should use readily-available, time-tested technologies that have demonstrated track records and regularly place highest in independent tests. At the same time, general awareness of the need for security has never been higher and companies should use this in their efforts to properly educate employees about good security practices and following security policies that are already in place. Finally, industry and public policy should provide additional incentives for companies that take these steps and act to better protect us all. The need has never been greater and to do so, we must ensure that everyone takes part in making it happen.