There’s an old saying that “there’s no such thing as bad publicity.” Unfortunately, this doesn’t ring true when it comes to data breaches and ransomware attacks. High profile security incidents continue to make headlines, and those headlines are impacting bottom lines. In response to these, the US federal government is modernizing its own cybersecurity infrastructure, and more state governments are implementing laws to protect citizens. To stay competitive, businesses need to establish and enforce best practices – starting with modernizing their own security infrastructures.
WHAT’S THE STORY, MORNING GLORY?
2020 was bad enough, bringing increased ransomware attacks as companies needed to establish fully-remote work models. This was just the beginning.
At the end of 2020, security organizations found themselves the victims of a sophisticated hack that impacted more than 30,000 public and private organizations. Even worse, the true impact may not be known for a long time. This hack was the “Big One” that security professionals have been warning everyone about for years.
Then, in May 2021, a ransomware attack caused by a compromised password led to fuel shortages across the southern United States.
And then, the big whammy – managed service providers (MSPs) fell victim to a supply chain attack when a vulnerability in a security detection tool may have affected up to 2,000 organizations.
The story isn’t good. As if a physical pandemic wasn’t bad enough, companies also need to manage digital pandemics.
WHAT’S THE BOTTOM LINE?
Most people focus on the up-front, obvious costs of a data breach. For example, the Cost of a Data Breach Report gives all the gory details:
- $4.24 million: average total cost of a data breach in 2020-2021
- 38%: overall lost business share of costs, mostly from customer churn
- $4.62 million: average cost of a ransomware breach
These numbers don’t look great, but it’s easy to say, “it’s just a one-time loss.”
Except, it’s not, not really.
Data breaches have a longer term impact on an organization’s bottom line than most people realize. Research shows a data breach’s impact on stock prices, finding:
- Average share price fell -8.6% after the first year
- Average share price fell -11.3% after the second year
- Average share price fell -15.6% after the third year
Then there’s additional hidden costs that can be estimated:
- Crisis communications: $14,820
- Defense costs:
- $61,000 for a small to midsize enterprise
- $1.4 million for a large enterprise
- Business interruption: $228,000
The hidden costs of data breaches and their long-term impact to financial stability are often discussed in vague terms. When you put together all the pieces of the financial puzzle, many companies aren’t prepared for the larger-than-expected impact.
LAWS, COMPLIANCE, AND AUDITORS – OH MY!
Legislative bodies and industry standards organizations are taking up the stick, realizing that the carrots haven’t been working. Their goal? Penalize organizations that aren’t maintaining best practices and protecting data.
CALIFORNIA PRIVACY RIGHTS ACT
In November 2020, California voters expanded the California Consumer Privacy Act (CCPA) in several significant ways. Most importantly, the revised legislation includes language that highlights security by adding a new definition “Security and Privacy” that focuses on detecting security incidents that compromise data.
This law also has a private cause of action clause, meaning the consumers can directly sue a company for a data privacy breach.
EXECUTIVE ORDER ON IMPROVING THE NATION’S CYBERSECURITY
In May 2021, this executive order outlined a lot of changes for Federal Civilian Executive Branch (FCEB) agencies – as well as their supply chain. Although it directly impacts agencies, it also impacts any companies sitting in their supply chain.
CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Although CMMC has been hanging around since 2020, it’s still important to include on the list. Any company that wants to bid on a Department of Defense (DoD) contract needs to meet some kind of certification, even if it’s just proof of best cyber hygiene practices. It sets out five different levels, with the majority of companies falling at either Level 1 or Level 3 requirements. Level 2 is essentially the “making progress” level, you can’t bid on a contract requiring Level 3 certification, but they’re giving you the pat on the back for trying really hard to get there.
SETTING CYBER HYGIENE BEST PRACTICES
Across the board, all of these requirements want to make organizations put best cyber hygiene practices in place. So, what does that look like?
LIMIT ACCESS ACCORDING TO THE PRINCIPLE OF LEAST PRIVILEGE
With “everything-as-a-Service,” access is now a primary security control. This means giving people the least amount of access to resources necessary as long as they can still fulfill their job requirements.
CONTINUOUSLY MONITOR FOR NEW RISKS
Security hygiene means having a process for monitoring networks, applications, devices, and systems for new risks. To protect information, you need to make sure that you’re monitoring for control weaknesses or new vulnerabilities, by reviewing events like:
- Network traffic
- Device health
- User logins
- Password hygiene
DOCUMENTING PRACTICES AND PROCESSES
To comply with mandates, you also need to create security policies and document your activities. Across complex ecosystems, this becomes increasingly difficult for security teams. They need to have practices, processes, and documentation of:
- Security policies
- Device management
- Password management
- Authentication and authorization
- Incident response
However, senior leadership also needs to prove that they understand the risks. This means having appropriate reporting that goes all the way up to the Board of Directors. Communication and documentation are the key to governance, and the way to avoid fines for noncompliance.
GRAYLOG’S CENTRALIZED LOG MANAGEMENT: THE DAM THAT PREVENTS THE FLOOD
The rising tide of security awareness means that companies need a dam to prevent their security teams from drowning in a flood of false alerts. Graylog’s centralized log management solution gives security teams the tools they need to establish and enforce best practices.
With Graylog’s intuitive user interface, security analysts of all skill and experience levels can engage in threat hunting and proactive monitoring. Using Dashboards, they can create visualizations and reports that can be used to communicate security activities to communicate with leadership and prove governance.
As the public becomes more aware of data breaches and ransomware attacks, security becomes more than a compliance box to check. It becomes mission critical to ensuring continued financial stability and revenue growth.