The real question is the cost of not having a cyber security plan. We all hate paying our insurance policies. Trust me, it’s one of my pet hates each year when they come around, but let me tell you a story.
In 2011, I had an accident … a big one. I broke my neck. When I left my house that morning I had no intention of breaking my neck, and there are many days since I wish I never left the house at all. But what sort of life is that? Never wanting to leave the house because of what ifs is no life at all. Luckily, I have a good and very persistent insurance broker who, to this day, still reminds me of the importance of my income protection insurance because, while I was incapacitated, I had to use my insurance to supplement my loss of income. I look back at those days and I wasn’t complaining about my insurance policy then. I was utterly relieved that I could continue to support my family and it felt like the best decision I had ever made.
I can draw a number of parallels between insurance and cyber security. Both are only necessary if something happens, the only difference is insurance protects you against things that are in your policy (insurance companies are good at inclusions and exclusions!). Unfortunately, hackers aren’t so thoughtful. Taking a conservative approach to your cyber security is now no longer a luxury. The Government has recently introduced new legislation called the Data Breach Notification Bill, which applies to any company with revenues over $3 Million. Essentially this legislation is an extension of the Privacy Act where any company who has a material data breach where customer data is lost, stolen, or leaked have 30 days to investigate the issue and then notify authorities of the breach. Of course, there are major fines if companies are found not to have complied.
The issue I see in front of many companies, irrelevant of their revenue size, is: What constitutes a cyber breach? Let’s go back to my fantastic insurance broker. If he hadn’t put the right controls in place when we were discussing my insurance policy, I might have lost my livelihood. I had no idea what might happen in the future, nor the extent of any potential injury or circumstance. I was at least lucky enough to walk away from my accident. Imagine if I hadn’t and I didn’t have income protection insurance … sends a shiver down my spine, excuse the pun!
So, not knowing what a cyber breach is and not having the right detection controls in place makes it very hard to know if you have been breached (cloud or on-premises – it doesn’t matter – data can reside anywhere). There is an argument in the cyber industry at the moment of what is more important – detection or prevention? Personally, I believe you can’t prevent what you’re unaware of, so really both are as important as each other. But, it all really boils down to this: What is affordable to at least meet the needs of the new legislation and really protect your customers’ data? You at least owe them that, right? Well, this is your mantra – protect for the future and detect for the unknown.
In recent times, the threat landscape has changed. Historically we built fortress models to protect our applications and their associated data stores. We put a firewall in, built a DMZ – make sure you can see and touch all of your IT assets and she’ll be right! Well, guess what? Enter stage left – THE CLOUD!!! Dropbox, Azure, and AWS have broken this antiquated fortress model apart. Traditional controls on which we relied for so many years no longer really work. Hackers get more sophisticated every day, but, when you combine that with the sandpit they now have to play in, it makes it even harder to detect let alone prevent their badness. And lately the application is the vulnerability, applications which have been around for years are riddled with technical debt, long time latent vulnerabilities which are starting to play out today. Sure, don’t leave home without your firewall and anti-virus but don’t be surprised when they still let hackers knock on your front door, and let themselves in. There are vulnerabilities in code today that will become exposed in years to come. The vulnerability just hasn’t been found yet, hackers tend to keep these things to themselves and are good at cleaning up their tracks.
So again, you are trying to prevent something that you and the rest of industry don’t know yet, hence why I still believe that detection is important. You need to monitor your assets 24/7, and in compliment with your preventative controls this will give you confidence that you have done all you can to protect your assets. As of February next year, companies with more than $3 Million in revenue no longer have a choice. The Government, rightly or wrongly, have taken cyber threats and breaches out of the IT departments’ hands and placed it squarely in the board room. That’s right, directors are directly liable if any of their sensitive data is compromised. You can’t detect and therefore prevent everything, there is no silver bullet, and you have to continue to operate and grow revenues. Just make sure you have the right insurance policy in place with as many inclusions as possible, trust me, I’m glad I did.