In an interview at the HP Protect 2011 conference on Monday, September 12, 2011. Bob Gourley and Tom Reilly, Vice President and General Manger of Enterprise Security at HP, discussed two studies on cyber crime from the Ponemon Institute and Coleman Parks. The median cost to an organization due to cyber attack was $5.9 million a year, 56% more than last year, and the time it takes to resolve the attack was 18 days with an average price tag of $416,000, a 70% increase. Studies reveal that sentiment towards security has been changing. Only 29% of executives said that they had confidence in their organization’s cybersecurity. What do these startling statistics mean for CTOs, CIOs, and CISOs?
While the numbers are interesting, Tom Reilly believes that its the year to year trends that really stand out. A 56% jump in the cost of cyber attacks and a 70% increase in the price of remediation indicate that cyber attacks are more common and more sophisticated. This rise also correlates with the introduction of more cloud and mobile computing in the workplace, which causes an increase in possible attack vectors and vulnerabilities, at least until security catches up to these new developments.
Bob Gourley saw reports on the growing cost of cyber crime as an opportunity to improve. In IT, security professionals are always fighting to justify their budget. Since cyber crime prevention is cheaper than remediation, data like this helps make the case for investing in security to save money. Tom added that, with all of the high-profile cyber attacks in the news this year, not only is security seen as an important corporate issue, but robust security measures can be justified by the impact on brand image of a serious breach.
Bob was less optimistic about the figures on confidence, stating that the 29% who believed in their cyber defenses just don’t know that they’ve already been breached. Those that have experienced large cyber attacks are less confident and understand that they must always be vigilant and constantly improve their security. Tom’s take away was that nobody really knows how secure they are because most corporations can’t measure the effectiveness of their security programs. No company is 100% secure so you have no choice but to assume that you’re already breached.
Since perfect security is impossible especially if an organization wants to take advantage of the cloud and mobility, HP adopted a risk-management approach. They suggest that CTOs, CIOs, and CISOs identify their most valuable data and protect it as best as possible, knowing that other information may be vulnerable. They must also identify their greatest vulnerabilities. Once an organization assumes it has been breached, it needs to gather the security intelligence to understand where and how, then respond correctly to isolate and quarantine the environment for effective remediation.