Reality Bytes – Why me?
This is the 4th post in a series about the costs of cyber security with an emphasis on Utilities. The last post covered changing priorities due to technical guidance from CISA.
Managers and information technology staff – sometimes just outside part-time people – have to understand hackers target all sizes of enterprises. ‘Small Medium Enterprises’ (SME) are often targets as they have less sophisticated defenses and staff. The reaction to ‘just pay’ ransomware is an urge when disastrous situations greet owners and managers. The embarrassment of being caught unprepared and clobbered leads to a dynamic of “what if nobody finds out”. Targets of attacks may not be gigantic enterprises and may simply be critical – like a water utility, critical defense supplier, or software enterprise. Small and obscure is not a method to avoid hacker attacks.
Things to do today: select and assign business and technology staff to be in charge. Set aside a budget amount to start (it likely won’t be enough). Set a timeline to have ‘something’ done. If you think your enterprise is ‘good enough’ – pick an outside resource to audit/analyze/confirm you’re right. Most analysis will show good places (not just to spend money) for real improvement.
A major bank was the victim of a fire at a critical software supplier. As the software supplier’s staff struggled to get reorganized the bank was hit with regulator audits, scrutiny by market financial analysts, and compliance exceptions – and major costs. Enterprises of all sizes are vulnerable to critical business interruptions due to tiny open source coders, colossal errors in cloud providers, or simple mistakes affecting everyone from simple keystroke errors. Custom software? Web site dependence on payment processor? Only one person (on vacation) knows how to update security? Vulnerabilities can be found in all enterprises tiny to colossal.
It's expensive – is a complaint. The expenses are all overhead and costs of quality – not of operating the enterprise today. The same flavor of complaint applies to fire extinguishers/sprinklers, PPE against Covid, and auditing costs. Those costs are all costs of doing business – and now information security and network security costs will be added. The level of costs are also relative to an enterprise – a small shop doesn’t have the elaborate costs of a sprinkler network in a huge plant. Smaller enterprises will see disproportionately high costs reaching a critical level of protection. A key is security expenses for data and networks will be a substantial portion of IT spend.
Management also can’t simply outsource all of the effort and technology to achieve data and network security. Simple steps – taking a backup and making sure it’s securely stored offsite/cloud – will still require operational folk to execute on a daily basis. The setup and updating on a demand/periodic basis will also make budgeting the expense hard. Even in mid-size enterprises the added expense of authorization management, authentication, and data access controls will require significant staff time and purchases. Some costs will be unplanned – vulnerabilities found or attacks made will make some spend reactive. Critical attacks on financial, manufacturing, defense, energy, health care, and transportation/logistics networks are now frequent – and getting meaner. Starting today isn’t too soon to improve any enterprises’ protection and controls.
And that’s just today. More in our next release. Cost of Doing Business #5 Resourceful Realities
Read our latest blog posts and more at www.ekalore.com/blog-1
Comments