Ascribing a real cost to a cybersecurity breach is a major challenge because the impact goes well beyond any tangible cost. In addition to the value of the data stolen and the time and money spend on defending the environment, damage to a corporate brand can be substantial.
A new report from Oxford Economics that was commissioned by the cybersecurity form CGI does, however, estimate that billions of dollars in shareholder value has been erased directly because of cybersecurity attacks. Apparently, once an organization reveals it has been a victim of a cybersecurity attack investors tend to lose confidence. Before too long the company finds itself essentially being victimized again as the value of its shares fall.
Despite a material impact involving billions of dollars, organizations are still conflicted over who is responsible for IT security inside their organizations. A recent report published by BAE Systems found that a third of C-level executives believe responsibility for data breaches lies squarely on the IT organization. But 50 percent of the IT professionals participating in that same survey said responsibility for those breaches resides with senior managers.
Obviously, everyone is collectively responsible for data security. The trouble is that most organizations don’t do a very good job of focusing their security efforts on their most important assets. Instead, there’s a tendency to broadly implement a complex set of policies and procedures that most end users are never going to follow. When the inevitable breach occurs most cybersecurity and IT professionals get so caught up in fighting to maintain security that very few of them have taken the time to think through how any given crisis could have been averted in the first place.
Naturally, talking about fire prevention is not nearly as exciting as fighting a fire. Many cybersecurity professionals are hooked on the adrenaline rush they get from combatting cybercriminals. Educating end users about what steps are of critical importance when it comes to protecting strategic assets is something of a bore. And yet, when all things are considered it may very well turn out those education efforts are going to be more effective in terms of saving intellectual property and protecting shareholder value.
Unfortunately, many cybersecurity professionals are convinced that the average end user is irresponsible when it comes to accessing data. Whether it’s using public WiFi networks or email systems from service providers such as Yahoo, the average cybersecurity professional often feels their warnings are falling on deaf ears.
Alas, end users have become inured to those warnings because in their minds they are always making a tradeoff between following a complex set of rules and the convenience of getting an immediate task accomplished. Not factored high enough in that calculus is the dollar value of the assets that might be compromised. Because of that issue organizations need to do a much better job explaining to end users first what’s at stake and, secondly, implementing a less stringent set of protocols around data that doesn’t have that much strategic value. Trying to treat all data as being of equal value only guarantees failure because when organizations try to defend everything, they wind up defending nothing.
The cybersecurity war these days is being won and lost at the endpoint. While there’s a lot of things an IT organization can do to secure that endpoint, the primary defense of that device still resides not in software but rather in the gray matter of the person employing it to access the organization’s most strategic corporate assets.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.