Morphisec Cyber Security Blog

So far, 2018 has turned out to be anything but business as usual, at least on the cybersecurity front. The revelation about CPU vulnerabilities Meltdown and Spectre (and all the offshoots); the explosion in cryptojacking – which is likely even more widespread than current estimates; the lightning speed at which the newest sophisticated attack technology is adopted by mass market criminals.

We all wish we were smarter. And I believe that the vast majority of people, in some way, strive to GET smarter.

As someone who has been involved in the cybersecurity industry for years, and watched it evolve, I see countless companies in this market using the aspect of intelligence to position themselves as being smarter than others. But if you have to proclaim your intelligence, are you actually smart? Or even smarter than me? Or than the next company?

If you’ve stayed at any large hotel chain in the past year, there’s a good chance your personal details have been compromised. According to Verizon’s 2018 Data Breach Investigations Report, the accommodation industry had one of the highest number of breaches, second only to healthcare. 

Morphisec is honored to have received awards in three out of six categories at this year's Midmarket CIO Spring Forum. The annual Vendor Excellence and Midmarket CIO Awards recognize leaders in technology collaboration. 

Over 77% of all cyber crimes target small and midsize enterprises. According to the 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report by the Ponemon Institute, cyberattacks cost small and medium-sized businesses an average of $2,235,000.

Last month I discussed cybersecurity effectiveness, particularly in regards to the growing threat of fileless attacks. But effectiveness is only one piece of the equation.

First and foremost businesses still need to go about their business. Unfortunately, it has long been the case that the more effective a cybersecurity tool is, the slower and more intrusive it is and the more effort it takes to manage it. The complexity and pain of managing – not buying, managing! – security tools often forces companies to reconcile themselves to unacceptable exposure, for example to security-related business disruption, for want of resources to manage cumbersome defensive technology.

Modern manufacturing technology brings improved quality and efficiency at lower costs. It also brings greatly increased cyber risk. Deloitte and MAPI’s (Manufacturers Alliance for Productivity and Innovation) recently published a report which takes a hard look at the effect of current manufacturing trends on cyber risk. The study found that, while manufacturers are beginning to prioritize cybersecurity, they have a long way to go. Read the report, “Cyber Risk in Advanced Manufacturing,” to see their findings and recommendations to be “secure, vigilant and resilient.”

Hedge funds are coming under increasingly heavy fire from attackers and regulators alike. A 2015 report issued by the SEC that examined more than 100 financial companies found that 88 per cent of broker-dealers and 74 per cent of investment advisers have experienced a cyberattack directly or through one or more of their vendors.

Today, a few hackers may be ideologically motivated, but the majority of attacks are financially-driven crimes. This is seen most clearly in the rise of ransomware; no mystery, just pure and simple extortion. And consider the latest victim of choice, the healthcare industry, sacrosanct in most people’s eyes but merely a lucrative, vulnerable target to cybercriminals. As such, cybercrime follows the economic rules of any business – reward must outweigh costs – and should be confronted on those terms.

This is the second blog post in a series of excerpts from the ebook (download here) “Know Your Cyber Security ROI: Making the Business Case for Cyber Security.” The first post introduced the concept of cybersecurity implicit ROI and the factors that determine the expected value of your cybersecurity operations. It also outlined the three attack phases and the correlation between attack phase and organizational cost.

This post examines the first attack phase and the costs associated with precautionary measures during this phase:

Organizations employ many precautions and actions in the attempt to block cyber attacks. Such measures can require significant time and resources to implement as well as maintain. This class of tools includes endpoint security solutions such as anti-virus, protection and detection systems as well as gateway solutions.

Every enterprise includes software patching as part of its security system to some extent. Because of its widespread use and marked impact on business processes, we will examine patching as an example of direct and indirect costs to your organization.

Executives often view cybersecurity as an expense, a necessary one perhaps, but still a burden on company finances, focus and time. Instead it should be approached as an investment – an investment in protecting an organization’s systems, resources, customers and reputation. And, like any investment, cybersecurity should be able to prove its value by delivering a solid ROI. But how do you calculate cybersecurity ROI? After all, security doesn’t create earnings.