Few industries have fared well during the corona virus pandemic.
As you would expect, most of the industries that have either stayed afloat or managed to capitalize on the crisis were those that generated a significant portion of their revenue from online sales. Online shopping, food delivery services, entertainment, gaming, e-learning, dating, and videoconferencing, were amongst the industries that made the most gains during these troubled times.
Businesses offering products or services that can be used at home, such as home fitness equipment, have also managed to scrape through.
For most other industries, COVID-19 has been as much help as a fart in a spacesuit.
It goes without saying that the tourist industry has taken a huge blow. Airlines, ferries, hotels, bars, restaurants, amusement parks and casinos have all suffered. And this is just the tip of the iceberg. Industries such as steel, road haulage, horticulture, charities, motion picture, sound recording, sports, performing arts, dentists and laundry services, are all struggling to cope, with many independent high-street shops closing down completely.
The cyber-security industry, however, is a special case.
In the event of a recession, businesses would likely cut cyber-security spending as it would not be seen as a priority. However, given that increasingly more people are working from home, maintaining a robust security strategy has never been so important.
The Paradigm Shift
The main problem with allowing employees to work remotely relates to the loss of visibility and control. For example, we have less visibility and control over the security protocols that our employees follow, which includes the devices they use and the Wi-Fi networks they use to access the company network.
Additionally, it may be helpful to know if an employee is unhappy with their job, as we may be able to address the problem, and thus potentially reduce the likelihood that they will turn “rogue”. Without having direct contact with our employees, we will be less likely to spot any unusual behaviour.
Under this new paradigm, perimeter-based security solutions, such as firewalls and intrusion prevention systems, are not as effective as they once were.
After all, when your employees are spread across different locations, perhaps even different countries, and your data is spread across multiple networks and platforms, the moat-castle security paradigm becomes practically redundant.
For many organizations, adjusting their security strategy to solve these problems will inevitably require additional investment to ensure that their staff are sufficiently trained to deal with the myriad of new threats, as well as ensuring that they have the necessary technologies in place to be able to monitor all events that take place concerning their critical assets. They need as much visibility as possible into who is accessing the company network, the devices they are using, and whether they are authorized to access the requested resources.
They should also collect and correlate additional information such as when, why, and for how long they are accessing certain resources. Ideally, companies should leverage the latest real-time auditing solutions which use machine learning algorithms to learn usage patterns and generate real-time alerts when usage patterns deviate beyond a certain threshold.
The Probability and Cost of a Data Breach
According to a recent report by Gartner, worldwide spending on information security and risk management is predicated to grow by 2.4% in 2020. However, it should be noted that this is below the previous estimate of 8.7%, which suggests that cyber-security spending is actually slowing down in the aftermath of the pandemic.
The tough decision that many cash-strapped companies need to make is whether spending on cyber-security should go up, down or stay the same.
To frame the question a different way; how essential is cyber-security in relation other, potentially more profitable endeavours? To answer this question, we need to assess both the likelihood and the consequences of a data breach.
According to the 2017 Cost of a Data Breach Study by IBM and the Ponemon Institute, the probability that an organization will experience a data breach is 27.7 percent, compared with 25.6 percent in 2016. And Its more than likely that this number has increased since 2017.
The report also shows that data breaches are growing in size, although the costs associated with the breaches are falling, as businesses are able to identify and contain breaches in a shorter amount of time.
IBM and the Ponemon Institute have recently published the 2020 Cost of a Data Breach Report, which states that the average cost of a data breach in 2020 is $3.86 million. Of course, this doesn’t mean that there is a 30% chance that your organization will be required to shell out nearly $4 million in 2020, as these figures are distorted by a relatively small number of high-profile breaches.
Not only that, but both the likelihood and the cost of a breach can vary significantly from country to country, and from industry to industry.
We also need to examine where these costs come from. After all, some organizations may decide to cut spending, and were they to fall victim to a breach, simply keep quiet about it in order to avoid any potential fines and lawsuits. This might sounds like a good plan, however, it’s not quite that straight forward. For example, what happens if you are hit by a ransomware attack? If your business is not sufficiently prepared, you will either have to pay the ransom, or lose access to your data. Either way this could be enough to pull your business under.
Don’t Forget About Compliance
One factor that plays an important role in determining how costly a data breach could be is the amount of regulation that applies to your industry. For example, healthcare and financial services are heavily regulated industries. If your business belongs to either of these industries, it’s fair to say, cyber-security is not optional. A failure to comply with the relevant laws could result in huge fines. Under the GDPR, fines can be as much as 20 million euros, or 4% of annual turnover, whichever is greater.
Why Are Data Breaches So Costly?
According to the above report, data breaches involving PII (Personally Identifiable Information) were the costliest, which accounted for approximately 80% of the breaches in the study. However, employee PII was the said to be the least likely to get compromised.
Approximately 40% of data breach costs were down to other factors such as loss of business due to reputational damage, system downtime and other remediation costs.
It should also be noted that the faster an organization is able to detect and respond to a security incident, the less costly it will be. According to the report, organizations that were able to detect and contain a breach in under 200 days after infection, spent on average $1.1 million less.
The obvious conclusion we can draw from this is that, while cutting cyber-security budgets may seem like a sensible move when times are tough, there’s a good chance it could backfire, and end up costing more than what was initially saved.
At Lepide, we fully believe that data security is essential, and that it’s only a matter of time before attackers (from the inside or out) turn their attention to your business. To protect yourself, find out where your most sensitive data is, what makes it sensitive, who is accessing it and how people are interacting with it.