As part of their
CFO Insights series, Deloitte has published
Cybersecurity: Five Essential Truths (PDF).
I like it.
I like that they are admitting that the Emperor's clothing doesn't protect him from the elements — and any that he may put on are likely to be shredded in short order!
But first, Deloitte reminds us how both the impact and likelihood of a cybersecurity failure have increased:
"According to the Ponemon Institute's "2014 Cost of Breach: Global Analysis" study, the average total cost for a data breach is now $3.5 million globally, up 15% from last year (and considerably higher — $5.85 million — for U.S. companies). In addition, the survey found that a company's probability of a material breach involving 10,000 records or more stands at 22% over the next 24 months."
They then point to the unpleasant fact that our ability to keep people out trails their ability to break in:
"… with the ubiquitous nature of cyber risk, classic security controls (firewalls, antivirus, Intrusion Detection Systems [IDS], Intrusion Prevention Systems [IPS], and so on) are increasingly less effective as attackers employ innovative techniques to evade them."
Deloitte lists five realities we must understand. Two are key and relate to the unclothed Emperor (or celebrity):
"1. Your information network will be compromised. Unfortunately, it's inevitable that you will be attacked. If you operate an information network, you're not going to get to a point of zero risk. Accept it."
"5. Your walls are probably high enough. Companies continue to invest heavily in the protection side of cybersecurity — more firewalls, more intrusion-detection systems. But most wall building may be about as high as it needs to be. Given that hackers have likely already infiltrated, companies should focus more on the detection side to increase their vigilance against attacks and on recovery after the fact. The formula is different for every company, of course, but of the typical IT cyber-risk spend, 30% might be allocated to wall building, 50% to detection, and another 20% to resilience preparation."
I have been reporting for some time now that the ability of the "bad guys" has been increasing and is now at the point where it is unreasonable to believe we can keep everybody out of our systems, network, and data.
It's not only organized crime and teenagers in Germany. It's not only Chinese and Iranian hackers we need to worry about.
A 2009 report by McAfee said that 120 of the 192 "nations" recognized by the United Nations have organized cyberwarfare units. (You can read more about cyberwarfare
While we should continue to strengthen our walls and keep intruders out, we need to do more to identify when they have broken through.
Where I differ from Deloitte is that I would stress the
timeliness of detection and response. We need to identify intruders rapidly so we can act to limit any damage. In addition, we can't wait for the board or senior management to respond — that has to be done in hours if not minutes or even seconds.
How long can we afford to have intruders in our systems before we sustain unacceptable levels of damage?
I welcome your comments.