A major credit-reporting company recently disclosed that hackers possibly gained access to the personal information of 143 million US consumers, or roughly half the US population. In a statement made on the day of the public disclosure of the breach, the company’s chairman and CEO vowed to increase cybersecurity spending. Of course, this is the right thing to say, but one might wonder why the company waited until after the breach to make the investment.

Keeping Systems Updated

According to press reports, the intruders were successful in this instance because the credit-reporting company fell behind in patching its Internet-facing web applications. One of Cimphoni’s “five pillars of cybersecurity” is to Keep Systems Updated. Running an effective patch management program is not inexpensive, but it is much less expensive than “playing catch-up” once an organization has fallen behind. More importantly, the cost of patch management pales in comparison to the cost of a breach that happened because systems were not kept up to date.

Assumption of Breach

In addition to working on breach prevention, organizations should prepare for a breach to happen, which we refer to as Assumption of Breach. This is the pragmatic approach of assuming that your organization cannot successfully prevent all cyberattacks. The organization needs to be capable of detecting the incident quickly, and then responding to it immediately to limit the damage. The longer hackers are inside an organization’s network, the more time and opportunity they have to create damage.

Reportedly, the breach at the credit-reporting company took place between May and July 2017, over a period of two to three months. This time to discovery of the breach or “dwell time” is better than average. According to a 2016 report from FireEye, the global average dwell time is 146 days before the incident is detected. This raises the importance of expanding detection capabilities beyond static indicators of compromise identification, as Forrester recommended in a 2017 report, to more extensive breach identification strategies. The sooner an organization detects a breach, the quicker it can limit the potential damage.

Data Breaches are Costly

If the hackers successfully stole the personal information of 143 million US consumers, they are looking at a huge paycheck, as going rates on the dark web (black market) for records containing a name plus date of birth are $11 each, for a social security number $30 each, and for a credit card number between $4 and $8 each. Multiply that by $143 million and the potential payday is enormous! Compared to the damage this stolen data can create for consumers, this may be only chump change.

Quite possibly, the greatest financial (and reputational) damage will be borne by the breached company itself. According to the 2017 IBM Ponemon 12^th annual Cost of Data Breach Study, the average corporate cost of a data breach is $3.6 million with an average cost for each lost or stolen record $141. Other research estimates the cost to the corporation for each lost or stolen record to be about $245. Regardless of which estimate is correct, a breach in the magnitude of 143 million records can result in astronomical costs!

Why it’s Time to Invest in Cybersecurity

Do you still think your organization can hold off a little longer on a comprehensive cybersecurity program? Think again. According to the 2017 Forrester Hiscox Cyber-Readiness Report, 63% of US organizations reported cybersecurity incidents over the past year – including 72% of larger businesses. Nearly half of all US firms (47%) reported two or more attacks, and 11% reported five or more. Their study concluded that 53% of organizations polled in the US, UK and Germany are ill prepared in cyber-security terms.

Technology and hacking mechanisms change rapidly and controls that used to be strong can now be compromised. If you have not had a third-party holistic review of your cybersecurity and risk management program in the last year or so, chances are that a cyber incident is just waiting to happen. It is basically a choice for corporations: invest in cybersecurity to lower the risk of a breach, detect breaches sooner and prepare the organization to respond to breach incidents, or be prepared for the financial and brand reputation damage when, not if, your firm is in the news apologizing to your customers for a breach and the subsequent damage that may have been preventable.