Six Important Enterprise Security Lessons for Executives

Wednesday, January 19, 2011



CSO's Jon Murphy gleans important lessons to be learned from the Cost of Cyber Crime Benchmark Study by the Ponemon Institute.

Murphy writes that the dramatic increase in enterprise-related cyber crime incidents coupled with a corresponding increase in the subsequent costs of those events should be a wake-up call for industry executives.

The following is a brief summary of the lessons Murphy highlights from the study:

  • Cyber crimes are far more costly than taking steps to harden an environment beforehand:  The study reports that the average for response costs for companies that were impacted was $3.8 million per year. The cost of the technologies and processes that could have effectively mitigated or prevented the same incidents, were generally less than 1/3 the cost...
  • Cyber crimes are pervasively intrusive and increasingly common occurrences:  ...compliant (with whatever standard or regulation) does not necessarily mean secure! IT Risk Management (InfoSec, BC / DR, Compliance, Governance), like ERM, is a continuous improvement program, not merely an "achieve it once and forget it" project...
  • The most costly cyber crimes are those caused by web attacks and malicious insiders:  Generally accepted better practices state we should be doing quarterly OWASP scans and biannual penetration testing... Mitigation of such potential vulnerabilities requires implementing technologies such as SIEM, DLP, HIPS, (among others)...
  • At onset, rapid resolution is the key to reducing costs:  ...cyber attacks can become even more costly if not resolved quickly. The report shows that the average number of days to resolve a cyber attack was 14 days with an average cost to the organization of $17,696 per day... The survey revealed that malicious insider attacks can take up to 42 days or more to resolve. These costs demonstrate that quick resolution is needed for today's sophisticated attacks...
  • Loss of information due to theft represents the highest external cost, followed by the costs associated with the disruption to business operations:  ...information theft accounts for 42 percent of total external costs. Costs associated with disruption to business or lost productivity accounts for 22 percent of external costs... Tangential to these costs, is the expense and reputation damage from the second disaster of negative press and lost customer/shareholder confidence...
  • All industry verticals are susceptible to cybercrime:  ...all verticals are being adversely impacted and on an increasing frequency... Insurance companies are noticing. They are increasingly seeking further proof of due care and due diligence prior to issuing policies and before paying claims. The government is taking notice too...

For the complete rundown on the report and more details on these and other cyber threats executives should take note of, see Murphy's complete entire here:


Possibly Related Articles:
Enterprise Security
Data Loss Enterprise Security Insider Threats Cyber Crime Poneman Headlines Security breach Executives
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.