The Ponemon Institute recently released the results of its sixth annual Cost of Cyber Crime Study, conducted in partnership with HPE, and the numbers are startling. Just one example: The cost of dealing with data breaches and cyber attacks in both the public and private sectors rose 19 percent over the past 12 months in the U.S., and 82 percent over the past six years. Around the world (the Ponemon study looked at companies in Australia, Brazil, Germany, Japan, the Russian Federation, the U.K. and the U.S.), the cost of monitoring and remedying cyber attacks ranged from around $2 million to $65 million—that’s per company, per year—with denial of service, malicious insiders and malicious code accounting for more than 50 percent of those costs.
In this interview, Sue Barsamian, senior vice president and general manager for Hewlett Packard Enterprise’s security products division, talks about staying on top of the ever-shifting landscape of cyber crime and why the strategy a company employs after a successful attack is, in some ways, more important than the resources designed to thwart a breach in the first place.
Let’s talk first about the sheer numbers involved in cyber crime. Most people would be pretty astonished by the year-over-year increase in both the number of attacks and how much it costs companies to protect against them.
Well, there’s no question that the numbers are alarming. This most recent Ponemon study, for example, indicates that average annual cost of cyber crime to companies worldwide is now approaching $8 million. In the United States, that number is $15 million. But if we look more closely, we’re seeing different types of costs resulting from cyber crime. There’s the cost of what a company spends to find and respond to threats. And then there’s what we might call the external cost, which involves data lost to a threat, or the economic impact of compromised or stolen sensitive information. What we found is that detection of, and recovery from, cyber attacks is the costliest internal expense, while information loss remains the most expensive external threat.
How has the nature of these attacks changed or evolved in the half-decade since you and Ponemon have been studying cyber crime and its costs?
Certainly, both the pace and the scale of the attacks are going up. When we started tracking this data in 2010, the companies we surveyed, which tend to be larger organizations, were experiencing, on average, around 50 attacks per week. Since then, that number has risen to 160 successful attacks per week. With the increase in malicious insiders and denial of service attacks, which are meant to effectively knock a network or website off-line or make it unavailable to users or customers, we’re definitely seeing an increased sophistication in the attacks launched by our adversaries. These attacks are costly and complicated to track down. Given the cost and frequency of these attacks, it’s evident that security is top of mind for organizations of all levels. Think about Chinese president Xi Jinping’s visit to the U.S. in September of this year. The focus of the talks was not so much about artificial islands being built in the South China Sea, but, instead, very much centered on coming to an agreement on cybersecurity and how the two countries would cooperate on investigations into malicious attacks.
So the nature of the attacks has evolved, but how has the nature of what’s being attacked changed over the years?
The attack surface has changed dramatically. In the old days of network and enterprise security, you essentially protected the perimeter and everything you cared about was inside that wall. Your data sat in data centers, your applications sat in data centers and your users were on managed devices on a managed network. Today, your applications and data often sit in the cloud. Your users are on mobile devices and they are accessing networks from coffee shops and elsewhere on the road. It’s a very distributed, diverse landscape to try and secure compared to what it was just five or 10 years ago.
With the current environment of security threats and the constant barrage of attacks, do you feel that enterprises are ahead of the curve when it comes to security?
Enterprises are getting smarter all the time and understand the critical importance of security. However, one area that is still a challenge for enterprises is having enough staff to manage and respond in this security landscape. For example, 40 percent of security jobs are vacant and 58 percent at the advisory level. To combat this, we see more organizations moving to a managed services or hybrid model, and we work with a wide variety of customers in both of these models. In addition, we’re seeing security as one instance where companies are actually partnering for the greater good far beyond competitive banners. There is a fundamental shift from building bigger walls to much more sophisticated approaches.
To that point, because a good number of cyber attacks will be successful, isn’t something like more powerful encryption inside a network, rather than higher and thicker firewalls, a smarter approach to the problem?
Better, smarter encryption is certainly part of the solution. We equate spending all of your money protecting the castle—in this case the network—but then leaving your data insufficiently encrypted to being like locking the garage but leaving the keys to your Ferrari in the ignition with the car windows open.
According to Gartner, more than 75 percent of the money spent in the cybersecurity space is still spent on the network and perimeter blocking. At the same time, the number of companies and government agencies that are not effectively encrypting sensitive information is still pretty significant. Application and data security are foundational hygiene to any security framework, and enterprises have to look upstream to ensure data is secure at rest, in motion and in use. We believe that it’s critical to secure the interaction between the user, applications and data regardless of their location and their device.
At HPE, for example, we don’t allow applications to be built that are not in compliance with our security requirements because data increasingly reside inside those apps. The good news is that in terms of enterprise security, the spending trends are heading in the right direction, shifting to include not just protecting the perimeter but also securing applications and data. In other words, locking the garage and taking the keys out of the Ferrari.