How Much Does It Cost to Protect an Organization from Cybercrime?

$15 million per year is the mean annualized cost if you don’t protect yourself, based on 58 benchmarked organizations according to a study by Ponemon Institute in 2015. 2014’s mean cost per benchmarked organization was $12.7 million. Thus, we observe a $2.7 million (19 percent) increase in mean value. The net increase over six years in the cost of cyber crime is 82 percent.

Figure one shows an average annualized cost per sector (1 Million omitted)

chart-3

The same study concluded that the cost breakdown for:

  • Internal activities is 31% for detection, 24% for recovery, 15% for investigation, 13% for containment, 9% for exposure post response and 8% for incident management

chart-1

  • Activity cost by specific cost component is 25% for direct labor, 23% for cash layout, 23% for productivity loss, 13% for overhead, 15% for indirect labor and 1% other.

chart-2

I know these are numbers from 2015, but isn’t it fair to assume that the cost will only increase, especially considering that the rate and sophistication of hackings has gone up? I mean, just take a look at the worlds biggest data breaches.

The 2016 Verizon Data Breach Report found that about 50% of breaches targeted, or better said, occurred on servers. The remaining cause for breaches are split up between devices (30%), users (15%) and Networking, Media and Terminals (less than 5%).

However, that is just the tip of the iceberg. State-sponsored hackers are increasing their attacks on corporate targets. The sophistication of financially-motivated cybercriminals has increased significantly in the past few years. And, it’s now easier and cheaper than ever for criminals to launch cyberattacks. Children’s toys, refrigerators, network cameras and other “low tech” network attached devices can be hacked by a 12 year old. Just remember the recent outage of Twitter, Spotify, SoundCloud and other sites caused by IoT devices. To add to that, between 300,000 and 1 million cybersecurity jobs are currently vacant. We are lacking the talent to fix all the holes in corporate America’s cyberdefenses.

So what can you do? Trust no one!!!

Your corporate perimeter is dissolving. There is no such thing as a secure network. The notion that a firewall or a DLP device protects you is outdated. You need protection across your entire enterprise that includes everything, even the “trusted” parts of the network. Google and others are starting to build security protocols on a “zero trust” model: making the assumption that devices and especially people connecting to “trusted” networks cannot be trusted any more than anyone else on the Internet.

Yet, while all cloud service providers have excellent basic protections, there are weaknesses. So, you share responsibility for your own security with your cloud provider. For example, unless your IT department or the Line of business owner is vigilant, a terminated employee, more often than not, continues to have access to Salesforce, Office 365, Google drive and other data for weeks or months after they’ve left the company, making the ex-employee a target for outside hackers — or a threat in their own right. Wouldn’t it make sense at this point to implement a federation system, so access to all those resources is protected by OTP and can be turned off all at once to avoid the pesky 15 million dollar cost of a hack altogether?

Now let me take this a step further. Verizon found that 63% of confirmed data breaches involved a weak, stolen or default password… The last being the most embarrassing, because that is the most avoidable. The key finding was,

“Static credentials continue to be targeted by several of the top hacking action varieties and malware functionalities.”

Or another example 13 million Mac keeper Users got exposed because

“The database had been inadvertently exposed as a result of a server misconfiguration.”

All the above shows that you should make sure to protect your servers, not allowing any external access and most important use OTP, MFA and best of all a tool that would allow you to manage your passwords in such a way that no one knows the password in the first place and has to go through a workflow to gain access to said passwords.

As stated earlier, 50% of the breaches involve or are targeted at servers, 63% involve weak, stolen or default passwords. Centrify Server Suite (CSS) with DirectSecure, as well as Centrify Privilege Service (CPS), can protect the application credentials. Furthermore, CPS can manage app to app, sever and resources credentials, and Centrify Identity Service (CIS) can be used to control login via Active Directory accounts to access those managed credentials — so you can sit back and relax because I am sure that the cost of protecting yourself is less than 15 million which is what a single breach could cost you.

Learn more about the Centrify Identity Platform here