It has been yet another busy month in the world of cyber security news. What does it mean when breaches reach private sector and public institutions that are supposed to be experts in risk oversight? It means that security is hard even when it is treated as a priority, let alone when it is an afterthought, as it is in most institutions. Given the business they are in, you would have thought that these entities should know better and would have had the wherewithal to do a better job of protecting their information. However, like the proverbial shoemaker focused on earning a living and not their child’s footwear, the focus of private sector companies and government agencies is to execute their mission, not to turn their public facing offerings inward to better protect themselves, their constituents or their customers.
Until there is real motivation that elevates cyber security as a priority in public and private entities, we will continue to see a less than stellar effor
t at its implementation. Despite many executives losing their jobs, the long term inherent cost of these breaches is not significant enough to motivate the right behavior. Unfortunately, regulation and associated fines are likely the only way. One only has to look at the mania of activity and concern surrounding Europe’s Global Data Protection Regulation (“GDPR”) and its potential material fines of up to four percent of global revenue.
My previous column talked about security v.s. compliance, which is an important point when considering regulations, related penalties and how to measure success. The risk based approach advocated there is the well-established path to managing cyber security for optimal business results. Like all risk disciplines, it looks at the threat landscape, vulnerabilities and the potential business impact of them intersecting.
What the risk based approach does not directly consider are the resulting impacts that are outside the business. Despite the significant momentary effect of major breaches on profits, stock prices and the personal careers of company executives, most breaches to date have not had a long term financial effect on the businesses in question. Equifax may be the first major exception to the rule, and as attacks increasingly cut into operational capabilities, the dollar impacts will grow (see FedEx’s $300 million cost attributed to the disruption caused by the NotPetya ransomware this past summer). However, most businesses are still inclined, by decision or passivity, to roll the dice that the cost of a cyber event will be less than the business cost of preventing one. Cyber insurance just raises the bar on the dollar threshold required to motivate boards and executives to pay attention and adjust how they do business to better protect themselves and their customers. Unfortunately, undesired outcomes that do not significantly impact the bottom line in the long term, like exposure of customer data, will not drive the attention required to make a dent in the matter.
The only way this formula changes is when the cost of weak security exceeds the cost of putting the right people, process and technologies in place to raise the bar. That’s not to say that being motivated to improve security posture will magically prevent attacks from being successful. But it is to say that without a direct driver, we will continue to see preventable breaches that result in the exposure of personal data and disruption to services.
That driver may come from one or all of three places. Individual consumers need to speak with their pocket books and their votes. Making security a significant and vocal factor in your buying and voting decisions will raise the stakes for commercial entities and politicians, “helping” them realize its importance. Regulation and legal decisions at the federal level that increase the cost of cyber negligence through fines and legal action will increase the bottom line impact materially, and drive more attention (again see GDPR). To minimize the burden of compliance, regulation needs to consolidate other local efforts, and focus on security v.s. check-the-box compliance. The New York State Department of Financial Services cyber security regulation provides a good template as a starting point. Finally (and I pray never to happen), the occurrence of a major disruptive event that has significant impact on the operations, financials or life safety of a large private or public entity will open everybody’s eyes.
The risk needs to be realized and action needs to be taken before a cyber disaster impacts critical life safety or infrastructure. No major innovations come without cost. Cyber security is one of the costs that needs to be paid to reap the benefits of our advanced technology and connectivity.