Discover PerformanceHP Software's community for IT leaders // November 2013
Why cyber crime is costing you so much more
Larry Ponemon discusses the sharp rise in security spending, and how to spend wisely now to avoid the higher cost of being a victim.
Despite better technology and more knowledgeable leadership in enterprise security, the cost to defend our organizations against cyber crime just keeps going up. In the four years since IT research firm Ponemon Institute first released its annual “Cost of Cyber Crime Study,” the average annualized cost of cyber crime has increased 78 percent. And, according to chairman and founder Larry Ponemon, it won’t stop there.
We sat down recently with Ponemon to ask him why global business continues to lose ground against the enemy, and to learn the most effective strategies to stanch the bleeding.
Q: This year’s study showed a 30 percent year-over-year increase in the cost of cyber crime. What happened?
Larry Ponemon: The bad guys are just smarter. Their attacks are stealthier and therefore more difficult to detect, and the attacks last longer. Like a biological virus in the human body, they’re very difficult to remove from the system.
We also know that organizations are incurring costs because there are more regulatory and compliance requirements. Especially in highly regulated industries—like financial services, defense contractors, and critical infrastructure companies—organizations have to do more to demonstrate that they’re proactive in managing security. They have to respond to challenges through better forensics, better discovery, and better containment procedures.
Four years ago, when we started to do this analysis, some organizations weren’t doing enough on the detection and forensic side. Now, we’re seeing very few organizations taking a willy-nilly attitude and neglecting the up-front investigation. That also contributes to the cost increase.
Q: Will this trajectory of rising costs continue?
LP: My gut tells me we’re not going to see costs stabilizing for a while. Things aren’t getting better fast enough. I think in the end, though, we’re going to see the good guys win. I’m hopelessly optimistic.
People and technologies are coming together, and we’re actually coming up with defense capabilities that didn’t exist before, like the creation of security intelligence technology. SIEM is one example, but there are others—Big Data analytics, for example—that are giving the good guys a tool to understand the problems.
I’m not saying it will be a 20 or 30 percent increase [every year], but I would anticipate a pretty healthy increase on cost in the short term. Things will flatten out as we have more companies using leading-edge technology. In the long term, costs will actually decline, because organizations are going to be better prepared to fight a good fight against the cyber criminals.
Q: What’s the most effective tactical action companies can take to stop attacks?
LP: We need centralized command-and-control, so that you can know all of the things that are happening to your organization and you can see patterns developing. Things that seem disconnected suddenly are connected. This helps you build a stronger defensive capability by having that information in one place, under the leadership of one group.
Making the command-and-control model of security work means that security needs to be in the business unit. It can’t just be a stand-alone activity. When security’s off to the side, you miss things. You’re not able to put the puzzle together in a way that will help you effectively deal with the most severe cyber attacks. Sophisticated attacks at the business-unit level sometimes go unnoticed. People don’t even realize that they’ve lost data or they’ve had a disruption caused by, say, a complex piece of malware.
Another tactical priority is dealing with the employee negligence issue. Many cyber attacks occur because an employee inadvertently did something that put the organization at risk. These kinds of issues happen all the time, and the bad guys prey upon this. So, training and educating your workforce on better security practices, and having policies and procedures in place, provides a very strong return on investment.
Q: Moving away from the tactical, what’s the most effective strategic change companies can make?
LP: At many organizations, people look at the security operation like the legal department: no matter what you request, they’re going to say no. They’re going to slow you down and block innovation.
So the strategic goal is to change that mindset. If you want security to work, you have to get the organizations to see security as something that’s helpful, not as something that creates problems. Your security objectives have to be fully aligned with the broad business objectives.
A lot of CISOs don’t feel comfortable thinking about security from a broader business perspective, but we’re starting to see more CISOs who are business-knowledgeable. They have deep technical knowledge, but also strong business skills, and that combination is invaluable.
Q: You were able to determine which aspects of containment and recovery are most expensive. Did this line up well, in your opinion, with where budgets are spent?
LP: We know that a lot of organizations are underspending on security. The companies that are most effective are good at detection and isolation of the problem: they know what’s going on pretty quickly.
These organizations are spending resources up front on detection, but they are also trying to understand the root cause. They’re trying to piece information together so they can be more agile and better prepared to respond in the future.
Spending on these up-front issues—like detection and discovery, not just containment and remediation—seems to give a better result and a better value.
Q: That sounds expensive.
LP: It’s all about having the intelligence to understand the problem completely. It may seem like a waste of time, but a lot of attacks go into a dormant state and can come back again and again. It changes form, but it’s basically still in your system.
I think spending on that intelligence looks like you’re spending a lot of money, but you’re actually spending it wisely, because you’re using your limited dollars to understand the problem so you can fix it for the long haul, not just for that specific incident.
Q: What does a CISO need to do to ensure that the security effort is balanced both for prevention and for investigation of in-process attacks and recovering from an existing attack? How do you do that?
LP: The perimeter has crumbled. The concept of keeping people out also means you can’t take advantage of, for example, mobile platforms or cloud computing or virtualization. So you’re going to have to deal with the ugly reality that some things will infiltrate your network or enterprise system.
Despite that new reality, companies historically felt that if they spent on prevention, they could solve the big problem. So budgets are earmarked for preventive technologies, more so than detective or containment types of technology.
Instead, allocate your budget as an interaction between three metrics: prevention, detection, and reducing false positives. Think about optimizing on these three metrics together, not just each individually.
That’s the art form of security: look at the end goals and work backward from there. If you figure out strategies using prevention, detection, correction, and false positive, you can get to that ideal place.
For more on the current state of cyber crime—from the types of attacks to the tactics used to stop them, download the Ponemon Institute’s full “2013 Cost of Cyber Crime Study” (reg. req’d).