The ROI Of Cyber Security Compliance

May 13, 2021 | Content Data

Introduction

Cyber Security and compliance management within an organization have become critical considerations.

With more organizations being breached either due to outdated Cyber Security practices or organizations not keeping up with the necessary compliance measures set by NERC CIP, HIPAA, DSS, or PCI.

Organizations are now emphasizing ensuring breaches are less frequent and the proper measures are in place to limit the damage.

"Major events like the 2021 Colonial Pipeline Ransomware attack have spurred the need for strategies to prepare for known and unknown risks."

Cyber Security with an organization is now starting to become more of a C-level initiative instead of just being lumped under all other IT issues. The magnitude of a breach and the rising cost per file compromised has caught C-level executives' attention.

It is no longer an issue they can briefly discuss or assume it is a matter handled by the IT department. Actions and measures need to be updated and upgraded to face and handle the constant attacks many organizations face daily.

Compliance rules and regulations like NERC CIP, HIPAA, PCI, and DSS set within a particular industry are changing faster than years past.

This change is the constant evolution of technology and the ever more dependency on this technology in our daily lives.

Taking actions to protect these technologies and the customers who depend on them is a matter all organizations must prioritize. Organizations need to ensure they are compliant before an incident occurs to avoid the massive cost of non-compliance.

 What is Cyber Security?

"With the growing volume and sophistication of cyberattacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security."

Cyber Security focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.

Governments, military, corporations, financial institutions, hospitals, and other businesses collect, process, and store a great deal of confidential

information.

The computers that hold this information transmit it across networks to other computers. Measures must be in place to protect it.

The growing volume and sophistication of cyberattacks require ongoing attention to protect sensitive business and personal information and safeguard National Security.

An organization can no longer operate, assuming that its organization is too small for a hacker to want to attack.

What is Compliance

At one time or another, every organization will fall victim to a breach. It must have the proper safeguards to protect its systems and network and minimize the damage when breached.

"Organizations need to realize that compliance is not a one-time event. They need to make it into a repeatable process."

An initiative to comply typically begins as a project. Organizations will race to meet deadlines to abide by these rules and regulations.

These projects will typically consume significant amounts of resources as meeting deadlines become the most crucial objective.

Organizations need to realize that compliance is not a one-time event. Compliance should be a repeatable process.

Repeatable steps are required to sustain compliance with the rules and regulations at a lower cost than the original effort.

The simplest way to comply is only to follow the rules that

have legal consequences for non-compliance and then only meet the minimum requirements to avoid the fines and penalties.

However, many firms fave learned the hard way to go beyond this approach to mitigate risk and create a defensible strategy in the event of falling into non-compliance, or worse, suffering a breach.

When organizations are dealing with the regulations set by their industry, a streamlined process of managing compliance with every one of the initiatives is critical. If not managed and monitored, the costs can spiral out of control, and the risk of non-compliance increases.

The compliance process enables organizations to maintain their standing repeatedly. It allows organizations to sustain compliance on an ongoing basis, at a lower cost, and decrease their chances of becoming non-compliant or suffering an attack.

The evolving world of Cyber Security and compliance

Cyber Security used to be as simple as setting up a wall on the perimeter of your system, and that would be enough to keep the bad guys out.

"Cyber Security used to be an IT department issue, today it's a C-level priority."  

Today though, if you just set up a perimeter, you are not even considered to be doing the bare minimum.

Today, you also need to protect the inside of your network from those already on the inside.

Cyber Security of the past was seen as only an IT department issue, whereas today, it is now a C-level decision.

This shift results from the exponential increase in organizations of all sizes routinely being breached and the impact businesses face from the negative press, which can often be more costly than the breach itself.

The sophistication of the bad guys is outpacing the solutions in place. This forces organizations to stay nimble and to be able to protect against a far more vast range of challenges.

Organizations must continue to review and evaluate what they have in place and decide if they should look to an upgraded solution.

Additionally, organizations are utilizing systems in a variety of new places. The need to protect all digital assets and interests on multiple networks and multiple locations is another significant change.

In the past, Security was limited to the organization's system and network in one location. Today computers, tablets, and cell phones not connected to the corporate offices are on the organization's systems and networks.

New technology locations and connections are fantastic for business, however, they create new challenges that did not exist years ago.

Compliance

"At one time or another, every organization will fall victim to a breach."

The explosive pace of industrialization and technological advancements has exposed many systemic weaknesses that can arise from an increasingly complex global industrial infrastructure.

Combining human competencies with other factors such as computer systems, heavy machinery, chemical or nuclear engineering has demonstrated that unforeseen risks can be a contingency of modern business operations through a series of unfortunate events.

Many of these incidents have led directly to legislation designed to insulate the public, environment, and economy against future disasters.

In the aftermath of disastrous events, governing bodies have enacted Federal workplace regulations, building codes, privacy laws, environmental safety standards, banking reforms, and financial reporting mandates.

The cost of ignoring cyber Security

Today, organizations' most significant security issue is the threat of individuals or groups breaking into their computer systems or network.

Ransomware and data theft are hugely profitable for highly technical organized crime groups and individuals.

This new security concern is growing exponentially and has dwarfed the former priorities primarily focused on on-site theft.

  1. Steve Ragan, Nearly a Billion Records Were Compromised in 2014, CSO (Nov. 17, 2014) http://www.csoonline.com/article/2847269/business-continuity/nearly-abillion-records- were-compromised-in-2014.html.
  2. Internet Security Threat Report 2014 (2013 Trends, Volume 19) Symantec Corporation (2014) https://www.symantec.com/content/en/us/enterprise/other_ resources/b- istr_main_report_v19_21291018.en-us.pdf.
  3. Research Report, 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute (2014).

The growth of data breaches and exposed records is best illustrated by comparing the first and second half of the last ten years. From 2010-2014 just over 3,000 data breaches occurred, exposing over 387 million personal records.

In the most recent five-year period, from 2015-2020, the number of breaches more than doubled to 6,469, with a staggering number of records exposed, totaling just over one billion. (1,026 million).

The number of attacks and compromises continues to grow as thieves and technology get better. The annual cost of the impact of intellectual property theft is estimated somewhere between two hundred and two hundred fifty billion dollars. Additionally, it could cost upwards of two hundred thousand jobs.

The Global Costs

Globally the estimated annual cost of data breaches is upwards of five hundred thirty-eight billion dollars. The price per hour of distributed denial of services attacks is around one hundred thousand dollars.

For an organization, the cost of a breach on average in the United States is around five million eight hundred five thousand dollars.

In the United States, the average cost per compromised file is around two hundred dollars.

These costs do not factor in the costs associated with organizations' measures to restore identity credibility to those who had their personal data compromised.

These costs are realized from credit monitoring services, creating new account information, or even financial compensation due to damages suffered by the victim.

"It is estimated that annually the cost of the impact of theft of intellectual property is somewhere between $200 and 250 billion dollars"

A perfect example of a breach that could have been avoided with essential Cyber Security updates is the breach with the Office of Personnel Management (OPM) within the US government.

In the summer of 2015, it was discovered that the OPM had a data breach. Initial reports were that four million records of current and former civilian agency and military employees were leaked.

When the finally settled and the investigation concluded, the four million ballooned to twenty-one and a half million total records that were compromised, with five million six hundred thousand fingerprint records compromised.

The hackers were able to get all those records due to the data stored on the OPM's system not being encrypted. The data was not encrypted because the system was out of date.

Once the hacker gained access to the system, their ability to extract records was simple. If the system were up to date, the records would have been encrypted, making it a lot harder to decipher the information extracted.

The fallout from this negligence was massive. First, the Director of the OPM, Katherine Archuleta, was forced to resign from her position. Secondly, the government paid twenty million to a firm that would notify the four million people first reported along with eighteen months of credit monitoring.

Then, five months after the breach was publicly disclosed, the government paid an additional one hundred thirty-three million to a firm to notify the remaining victims along with three years of credit monitoring and identity- theft prevention services.

In total, the OPM paid over one hundred fifty million dollars, just to help monitor the victim's identity.

The government still needed to address the systems and all the problems that it had.

US Chief Information Officer, Tony Scot, called for immediate updates and patches of all systems called the 30-day cybersecurity sprint. What this entailed was:

  • "Immediately" deploying so-called indicators, or tell-tale signs of cybercrime operations, into agency anti-malware tools. Specifically, the indicators contain "priority threat-actor techniques, tactics and procedures" that should be used to scan systems and check logs.
  • Patching critical-level software holes "without delay." Each week, agencies receive a list of these security vulnerabilities in the form of DHS Vulnerability Scan Reports.
  • Tightening technological controls and policies for "privileged users," or staff with high-level access to systems. Agencies should cut the number of privileged users; limit the types of computer functions they can perform; restrict the duration of each user's online sessions, presumably to prevent the extraction of large amounts of data; "and ensure that privileged user activities are logged and that such logs are reviewed regularly."
  • Dramatically accelerating widespread use of "multifactor authentication" or two-step ID checks. Passwords alone are insufficient access controls, officials said. Requiring personnel to log in with a smart card or alternative form of ID can significantly reduce the chances of adversaries pierce federal networks, which they added, stopping short of mandating multi-step ID checks.
  • A "Cybersecurity Sprint Team" was created to lead a month-long review of the federal government's security hygiene practices.

    The cost of ignoring being compliance

    "With some fines and penalties being as much as a million dollars a day, firms cannot afford to be non-compliant."

    A high-skilled, high-quality compliance function is expensive to build. However, it will be one of the best investments for a firm and its senior managers.

    With some fines and penalties being as much as a million dollars a

    day, firms cannot afford to be non-compliant. Many firms have employed more compliance staff, but there is a growing need for more genuinely skilled compliance officers.

    A consistency of expectation is that the cost of skilled compliance staff will continue to rise, but the growing issue is the availability of high-quality skills and experience. Many firms expect qualified staff to cost more due to the high demand and limited pool of applicants.

    The primary reason for the expected increase in the cost of senior compliance professionals is the demand for highly skilled and knowledgeable staff.

    There's no doubt that compliance is a burden and that some of the activities organizations are required to demonstrate to be compliant with the rules and regulations don't always directly contribute to the organization's security.

    The reality is the cost of regulatory compliance does not have to be expensive, but it often is.

    The leading factor in the high cost of regulatory compliance is organizations rushing to put things in place to meet deadlines and please their auditors.

    Frequently, these organizations are not focusing on being compliant or developing a long-term plan or solution that will benefit their organization.

    Why organizations need to focus on their Cyber Security and compliance

    "Brand reputation is something that takes many years of great service or products, however, it only takes one bad news story to severely damage the business."

    By now, you understand the technical costs of not maintaining your Cyber Security or being compliant with all the rules and regulations in your industry.

    However, there one factor that is often overlooked by organizations and not accounted for in the previous dollar costs.

    The way an organization is viewed by the public when there has been a breach can frequently cost more than the breach itself.

    Brand reputation takes many years of excellent service and products to build, but only one bad news story can severely damage years of work.

    Examples of organizations that had to deal with this kind of negative press are Target, Home Depot, Sony, and the US government, to name a few.

    These organizations suffered breaches by either not making sure their system or network was as secure as possible or because they neglected rules and regulations that would have met the basic requirements to be compliant.

    As a result, they all had to suffer weeks of the press digging into the details of the breach and discovering all the things the organization did wrong or neglected.

    In addition, during the subsequent investigations of each of these breaches and the organization's response.

    The investigations uncovered all the vulnerabilities of the systems. This included the lack of the tools and protocols which could have prevented these types of attacks.

    The Costs of a breach include updating and patching your organization's Cyber Security, achieving compliance, lost consumer confidence, and the actual cost associated with repairing these compromised systems.

    These are all reasons organizations should be proactive regarding their Cyber Security and compliance.

    Conclusion

    Every day there seem to be more people looking to cause havoc by gaining access to an organization's system or network to either steal important confidential information or hold the system or network for ransom.

    It has never been more critical for an organization to be up to date with its Cyber Security measures and compliance.

    The decisions made about these areas are not just an IT department issue but something that the C-level executives must take action on.

    Security measures done in the past are no longer adequate to protect your organization. More efforts must be in place to ensure that both inside and out are secure from any nefarious actors.

    Practices and protocols must be in place to minimize the damage when the next breach happens to you or your organization.

    It is no longer acceptable to avoid being compliant with the excuse that it does not add value to what your business does.

    Being compliant with the rules and regulations set by your industry is only the bare minimum an organization can do.

    A long-term solution to minimizing the costs associated with making sure your organization is compliant is a practice many organizations are starting to implement.

    The best way to avoid a breach is to continually evaluate your organization's Cyber Security and install patches and upgrades while also streamlining processes to ensure your organization is compliant and always meets compliance requirements.

    About Sath Inc.

    Sath Inc. is a seasoned Security and Regulatory Compliance office. Established in 2004, we help our customers implement industry-leading technical and business solutions for governing, analyzing, auditing, and operating on everything related to IT Security and compliance.

    At Sath, we create meaningful connections with our clients through strategic and sustained engagements, IT security compliance, and governance space innovations.

    Above all, we believe in attention to detail, interaction, experimentation, and continuous improvement.

    Our proprietary Identity Management software IDHub delivers intelligent management of all users on your network. Our 17 years in Cyber Security allow us to ensure exceptional outcomes for our incredible clients worldwide.

    If you would like to learn how Sath and IDHub can help your specific organizations with your Cyber Security and compliance needs, please contact us.

    Or contact us at: marketing@sath.com

    idhub logoPreview the future of identity management.

     

    schedule demo

    Skip to content