Protega Blog

What is the true cost of a Cyber Breach? Find out what our Regional Sales Manager, Tim Newland, has to say on the topic

Terry Swan - Friday, December 09, 2016

Written by our Regional Sales Manager, Tim Newland, and published in the Australian Security Magazine

What IS the true cost of a Cyber Breach? Having worked in the technology sector for many years, and more recently specialising in the cyber security space, I often read articles around ‘the true cost of a cyber security breach’.

As a security champion and seasoned consultant to both the government and private sector, I feel as if I should be promoting fear mongering and jumping on the band wagon, applying scare tactics and enforcing this style of selling for financial gain. However I feel uncomfortable with throwing unsubstantiated numbers around and generalising on events that we know very little or nothing about, especially when it comes to private businesses being compromised.

Having read numerous articles there seems to be a massive variance here without anyone actually having solid statistics, cross-referenced against all the scenarios. Granted AHPRA & AGO would have some statistics, but this would only be relevant to a handful of larger organisations that responded to the surveys or have in fact had a reported breach. Again, this doesn’t support the multiple articles substantiating breach costs of A$100k and others suggesting costs up to US$7m. Albeit these articles apply to varying organisations based in different locations on a global scale that will be governed by different compliance laws. In essence, the cost of the breach depends on the sector, what has been taken, reputational damage and what the penalties are around this, not excluding the response time needed and other mitigating factors.

I find it hard to make a generalist statement that a breach would cost upward of “x” amount of millions of dollars, these figures would seem to apply to less than 10% of the corporate market (large corporates). The remaining companies wouldn’t be able to afford a breach at that kind of cost, it would fold the company and I don’t hear a lot about companies going out of business due to a breach (not to say there hasn’t been any).
So, removing all the noise and the fear mongering from the equation, there is no simple answer to this. It is hard to track as the majority of private sector companies are not regulated here in Australia. Perhaps when the mandatory breach notification laws are passed and we have more information we can accurately make decisions on the actual cost of a breach within specific industry sectors, types of breaches and the knock-on effects this has had to companies. Then, and only then, can we advertise and label a breach with a specific price tag in mind.

Some Managed Security Service Providers (MSSP) may have some statistics and information surrounding breaches, especially if they have a large volume of customers. Although the large volume of customers would still only apply to a small percentage of the market, again, these would be speculative numbers that would generally not be released due to sensitive information and confidentiality issues, nor would it give them the ability to make mass generalisations on the cost of an average breach.

The point here is to not ignore the fear mongering but to take it with a pinch of salt. Do not be complacent and think it will never happen to you because the fact of the matter is, it probably will. Various hacker groups look for SMB companies to test their malware before they hit the large corporates so if anything, this makes the SMB sector a far greater target than the larger institutions.

Ensure you are having regular security health checks and test your critical infrastructure, make sure you have end point protection, Next Gen Firewalls and a solid Incident Response Plan in place to deal with the technology aspect and possibility a breach. I’d also recommend you have regular and appropriate staff training in place to deal with the human element.

Partner with a security consultancy that takes the time to understand the risks faced by your business and has a great view of your particular industry vertical. Make sure they will be able to identify what specific risks to that particular industry are applicable and understand if there are specific events that have affected organisations in your competitive landscape allowing you to mitigate the risks and bolster your defences where needed, rather than throwing budget into areas that you feel you have to because you have succumbed to the fear mongering!

Mitigating the risk can often be a complex process, some quick wins to be thinking about: Patching applications, restricting admin privileges, application whitelisting and regular re-enforcement of training to your staff to prevent Phishing attacks – which has proven to be the main instigator of successful cyber-attacks. Be prepared, have a plan and stay ahead of the bad guys as much as you can but don’t be blind-sided by tactical fear mongering and crafty marketing.

Obstinately clinging to iconic obsolescence

Terry Swan - Friday, November 11, 2016

Protega have been published!

Our Director, James Wootton, has had the following article published in the Australian Security Magazine. Enjoy reading it!

James Wootton

As those around me in the Protega office will tell you, combine information security and a certain clichéd icon or photo-stock image and it’s a recipe that is guaranteed to get me to turn the rage on – The padlock! Put the words cyber and padlock together and google will churn out around 364,000 results. Everything from the purchase of padlocks to ransomware; to convincing you a solution is secure because of its presence, something a depressingly small number of us know is simply not the case!

I wandered down to my local convenience store, handed over my $8 and purchased a stock brass-bodied padlock. This is one that the public clearly believe does the job because the lady behind the counter told me, it was a ‘good seller’.

It looks the part. A solid brass bodied, steel shackled device, oozing safety and confidence; it says it will protect your cherished items! Except a mere 5 seconds later, with only a lock pick and no torsion bar, the lock turned out to be much as expected; all brass, no protection!

But, in the same way your life is shattered the day you discover there is no Santa Claus, every competent locksmith will tell you that the vast majority of padlocks are nothing more than the illusion of security and should be treated with equal scepticism.

I assert that Padlocks are therefore the worst possible analogy and pictorially, the worst possible distortion of acceptable standards for information security.

Let me humour/frighten you with a physical-world analogy, where we recognised decades ago that in the ‘normal’ world, threat prevention and keeping the bad guys out requires a defence-in-depth risk mitigation strategy. A (hopefully) appropriate combination of guards, guns, dogs, walls, gates, locks, alarms, lights, cctv monitoring and insurance(!) will be involved, dependent upon the appetite for perceived risk, versus constraints. Sorry for anyone being taught to suck eggs, but let me explain by picking a risk scenario very real to all of us.

Consider the risks to your family and valuable belongings (assets) In your home. You definitely considered how to keep your family safe, right? You probably considered theft of your assets next, let’s face it, no one wants to lose their 6ct diamond necklace or 1968 ‘Bullitt’ Mustang! To a greater or lesser extent, you probably considered other threats such as Fire and Storm damage. Thinking about the counter measures that are deployed to mitigate these risks, can be an interesting exercise. Try thinking about the controls deployed in the negative, what haven’t you addressed (gap):

  • Locks – Chosen by Previous occupier, seemed ok when you made the risk assessment, but who has all the keys and are the locks any good?
  • Working Fire alarm?
  • Working Smoke alarms?
  • Secure safe for high value assets?
  • Secure Doors?
  • Secure Windows?
  • Secure garage door?
  • Adequate and appropriate Insurance?

Hands up all those that considered every element of the above and felt they made an accurate assessment of each? Or, did you make a shoulder shrugging gesture whilst thinking, ‘good enough’? Those with their hand up, for starters, shouldn’t take things so literally, but nonetheless, well done! But wait, was your risk assessment based upon evidence, experience, assumptions or perception? Humans are really bad at calculating accurate risk assessments, which is the very reason why society attempts to legislate against stupid activities, likely to harm us or others! Our approach to risk is nevertheless usually the minimum effort and expenditure that convinces us (and our conscience) that we’ve considered the risks and we’ve made a conscious decision, albeit not necessarily having made an accurate one!

So, why do we cling to broken technologies that are woefully inadequate in cyberspace?

Just like the padlock, we probably just don’t understand how much risk we are carrying, because we didn’t want to ask the question or we didn’t know the right question to ask. Any security professional worth their salt will tell you that the typical organisation’s computing devices aren’t protected by the technologies we have become comfortable with (AV, limited endpoint protection etc.) and aren’t worth the money and time invested in them If they aren’t protecting you from the today’s crop of threats. In some organisations I’ve assessed, they have actually increased business risk by weakening their systems, turning off such things as Microsoft Windows Defender/Essentials and continuing to use their preferred third party AV solution, without understanding the consequences of doing so, or assessing if the product even works (it didn’t!) In any case, Anti-Virus doesn’t address today’s user-based ‘social engineering’ attacks and your firewall is unlikely to be designed to either. Sorry to say, vouge cloud-based solutions aren’t the panaceas of information security either. For example, moving a mail solution to Office365 will not prevent the majority of spam and barely stop the simplest of spear phishing attacks, because that isn’t what it does! Marketing are partly to blame in the mad rush to sell cloud-based systems because they’re secure (usually meaning the communications are secure, via https and even that’s debatable!)

Enough rhetoric, present me with a solution already!

Ah, I’m afraid the classic ‘depends’ is my oh-so-clever answer. Not because I’m basking in the glow of my own smugness, but because it depends upon the values of or sensitivity attributed to the assets you want to protect and of course, how risky you’re prepared to be; not forgetting your assessment of residual risk may be suspect! If, like the devotees of the padlock, you just want the illusion of security, then maintain status quo; it’s all good. Don’t be surprised though when your online world comes crashing down and you have no strategy to recover. 

More practically, investigate technologies, procedures, techniques and training that add to your defence-in-depth strategy and don’t buy into the ‘snake oil’ often peddled, especially around ‘cloud’.

From an organisational standpoint, consider elements of the following, balancing bang for buck:

  • Policy overhaul and possibly security accreditations to focus your efforts;
  • User awareness training;
  • Sandboxing and content analysis technologies;
  • Much as I hate the phrase, application aware, next generation firewalls;
  • User and Networking behavioural analytics.

And if you don’t understand how all this bolts together, it’s likely that you aren’t going to address the risks you really need to. After all, you wouldn’t perform surgery yourself, or let a general surgeon loose on your brain. Find an expert, someone that can advise you, someone that you can trust. I know such a person and a company…..

AISA Cyber Security National Conference

Terry Swan - Thursday, October 13, 2016
Protega are attending the AISA Cyber Security National Conference today and tomorrow - make sure to say hello if you are here!

Cyber Security Summit 16 in Sydney

Terry Swan - Thursday, September 22, 2016
Protega are excited to be attending the Cyber Security Summit 16 in Sydney today #AusCyberSummit