We do a lot of work for IT security clients. And the numbers we hear numb the brain. Security researcher Ponemon Institute LLC, (not a client) says that almost nine out of ten U.S. companies have suffered at least one security breach. Many don’t even know if or when they’ve been hit. The cost to businesses of exposing data like Social Security and credit-card numbers climbed seven percent between 2010 and 2011 to an average of more than $7 million per incident, according to a study of victim companies. The most expensive attack of 2010 cost an unidentified company $35.3 million, an increase of 15 percent from the costliest breach a year earlier. It was so bad the name of the company remains confidential so as not to alarm customers. While government agencies must be notified, attacks on and losses by many large corporations are never publicly revealed. Costs rise as more states pass laws requiring companies to disclose whenever customers’ personal information is exposed. As of 2011, 46 U.S. states passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply. Still, the attacks and the cost of fending them off grow unabated. What’s going on here?
Happily for our clients, business is brisk. Still, one of them admits that the seemingly low return on corporate America’s security dollar is being seen with growing frustration and alarm at the board level. “Companies who question their return on the millions of dollars they’ve invested in IT defenses have every right to be angry,” he said. Of course, our clients have a vested interest in encouraging the upgrade of aging defenses so easily overcome by cyber-criminals today.
We can’t help noticing the irony here. Computer security is a multi-billion industry employing some of the most brilliant technologists on the planet. They labor hard to stay a step ahead of the bad guys who, just like terrorists, only have to be successful once, while techno-sleuths and defenders must succeed 100% of the time. Yet, as found by Verizon and reported yesterday in Network World , in 97% of breaches last year, attackers used remarkably simple methods to break in. In other words, many organizations are overlooking basic precautions even as their security systems grow more complex. In four out of five attacks on businesses last year, bad guys preyed on so-called victims of opportunity. Like muggers who look for an unsuspecting or distracted target in crimes of opportunity, cyber-attackers scan for companies who may not be properly utilizing the defenses they have or whose passwords fail the tough-to-guess test.
To us in the business of marketing some truly amazing preventive technology, Verizon’s findings are a real eye-opener. Here’s hoping they can open more corporate-security eyes as well. The chain around the company’s digital assets is only as strong as the weakest link. And the bad guys are experts in finding them.