April 25, 2017What does cyber resilience mean to you? The answer will surely vary across industries. And, to some, the term might not mean anything at all. In fact, according to new research from Vanson Bourne, not enough organizations are making cyber resilience planning a priority.
Only 30 percent have already adopted a cyber resilience strategy, with about one-third still in the early stages of development or planning. Too many organizations are leaving themselves unprepared for the unknown, and it doesn’t have to be this way.
Organizations of all sizes need a cyber resilience strategy; no exceptions. Yes, security is critical, but not the only piece of the cyber resilience equation. Multi-purpose data archiving, business continuity and the ability to empower the end-user should also have equal consideration. This holistic approach to IT management is what we call cyber resilience, and this is core to our business and how we interact with our customers.
Cyber resilience resonates throughout everything we do at Mimecast – it’s engrained in our internal and external philosophy. But, we wanted to find out how other industry thought leaders are thinking about cyber resilience, and how they are applying it to their own business models. So, we took the great opportunity to tap into the powerful mindshare at RSA Conference 2017 by hosting the first-ever ‘Cyber Resilience Think Tank’ at the San Francisco NASDAQ Center. Insights from the event were captured in a Cyber Resilience Report released today from Cybersecurity Ventures.
I had the pleasure of leading this think tank discussion, which was made up of almost two-dozen leaders in the cybersecurity industry, and moderated by Ari Schwartz, Venable CEO and former member of the White House National Security Council. The impressive caliber of Think Tank participants – which ranged from Malcolm Harkins, chief security and trust officer of Cylance Inc., to Helen Rabe, head of information security for UK-based Costa Coffee – validates that cyber resilience is a hot-button issue that organizations of all sizes and across all industries should care about – and plan for.
The Think Tank attendees validated our approach to cyber resilience planning. It starts with the understanding that security alone simply isn’t enough. And it ends with a comprehensive plan to manage IT, and hopefully, a philosophy that helps drive your business and customer relationships.
Now, more than ever, organizations need a broad approach to cyber resilience planning and they can’t expect do it alone. Industry leaders need to continue to push cyber resilience and provide actionable insights and prescriptive advice to drive towards a more cyber resilient future.
Think Tank contributors included:
- Matt Crouse, Director, Information Security & Compliance, Lucky Brand, LLC
- Joe Gajdosik, Director of IT Security, Curtiss-Wright Corporation
- Jason Gunnoe, Chief Information Security Officer, Bridgestone Tires
- Cathy Hammond, Chief Security Architect, Teleflex
- Jim Hansen, COO, PhishMe
- Gary Hayslip, Chief Information Security Officer, City of San Diego
- Ed Jennings, COO, Mimecast
- Joel Lowe, Head of Information Security, Sonic Automotive
- Neil Murray, Chief Technology Officer, Mimecast
- Phil Owen, Global Head of Information Security, IHS Markit
- Helen Rabe, Head of Information Security, Costa Coffee
- Brian Reed, Chief Product Officer, ZeroFox
- John Sapp Jr., Director, IT Security & Controls, Information Security Officer, Orthofix, Inc.
- Ari Schwartz, Managing Director of Cybersecurity Services, Think Tank Moderator, Venable, LLC
- Maurice Stebila, IT Security, Compliance & Privacy Office, Harman International Industries
- Chris Wysopal, CTO & Co-Founder, Veracode
April 11, 2017
Imagine for a moment that you are the “rockstar” IT director of a Top 100 firm. You’ve just presented your 2017 plan to the board for major IT initiatives, which include a plan to support General Data Protection Regulation (GDPR) compliance. The presentation goes well, and you’re invited to stay and chat during the break.
Just as you’re about to walk to the coffee machine, a new board member comes up to you, thoughtfully sipping tea, saying: “Good presentation!” Before you can say thanks, she says: “You know, there are some things around GDPR which really worry me” - “What business value does GDPR offer us? With data in so many places, can we possibly get a quick win on GDPR risk mitigation? Is there a way to reduce the risk of data breaches for which we could be fined millions?”
As you listen attentively to the questions, your mind races as you think about the noise, alarm and scare-mongering of how organizations will be impacted by the GDPR. Phrases such as “fines of 20 million euro or 4% of global turnover”, and gloomy headlines like “Could new data protection rules mean the end of SMEs” have driven much of the concern and anxiety about the damage to a business’s reputation, impact on its share price or costs associated with GDPR. From her questions, it was clear that this new board member took these scare tactics to heart.
Being the “rockstar” IT Director you respond enthusiastically saying the senior executives and the board have been proactive in supporting the preparation and response to the GDPR. You talk unreservedly about how the GDPR can help the company become more efficient in the way they manage, process and protect personal data. It could also help them use data more profitably for their own ends, allowing them to become more competitive. Especially, if the business is intent on ‘transforming’ for a digital data-driven age, GDPR can form the foundation of that effort.
Time is of the essence
You agree with the board member that the business does need a quick win for implementing appropriate security and data protection measures for personal and sensitive data, as 25th May 2018 is not too far off. However, you explain that the process can be complex and challenging given the huge amounts of personal data such as email addresses, names, phone numbers, credit card details, and other sensitive information that may be stored across multiple data repositories, either onsite or in the cloud.
As the conversation progresses, more board members join the impromptu discussion around the coffee machine. You mention that you already have a plan for a “quick win” which will help in mitigating GDPR risk. You explain that almost every day we hear or read about losses of personal data, whether it’s a malicious attack or an accidental loss, or emails being compromised. You state a well-known fact that 91% of cyberattacks start with a phishing email – something which the board members find unpalatable. This is when you mention that it’s no wonder one of the GDPR measures gaining traction with IT managers is implementing appropriate advanced email security protection.
Now all eyes are focussed on you, and being the IT rockstar that you are, you stress that the business should use GDPR as an opportunity to get a firmer grip on continually evolving email threats. You describe how easily it can be done by putting into place measures which include multi-layered threat protection to defend against spear-phishing, ransomware, impersonation and other targeted email attacks.
You enlighten the board further on the new rights for individuals, which limit the personal data organizations are able to collect and store under the GDPR. You clarify how the business can use powerful cloud based archives to provide rapid search capabilities to find, remove or transfer personal or sensitive data. You also make it clear that these solutions ensure uninterrupted access to live and historic email data in the event of a sudden email outage or planned downtime.
Like any “IT rockstar”, you end on a positive note commending the board on their awareness of GDPR and growing cyber security risks. The new board member should feel confident knowing that, at the very least her concerns around a cyber resilient GDPR strategy are being addressed.
Find out how Mimecast helps to simplify GDPR compliance by visiting the Mimecast GDPR for email resources page.
It takes just half a second to infect a computer with ransomware, but affected companies deal with the fallout for months. The FBI estimates that more than 4,000 ransomware attacks occur each day in the U.S. – representing a 300% increase over 2015 alone. What's more, cybercriminals can get started for just a small investment: Forbes reports that one $39 program encrypts files, deploys from a variety of file formats, and deletes files at random intervals when the ransom isn't paid. Yet the price for companies affected by ransomware is much steeper. In addition to the ransom itself, companies facing ransomware are often unprepared for the true cost of dealing with attackers, getting systems back online and handling potential brand damage and lost productivity.
The Ransom is Expensive – But It's the Least Important Cost
Ransomware is a strain of malware that encrypts data on organizations' computers, servers or user devices, locking them down, before demanding payment of a ransom – often in Bitcoin or another non-traceable currency – in exchange for decrypting the data. According to the FBI, the costs of the ransom plus staff time in recovering the data averages about $330,000 per incident. The ransom itself varies, but is just a fraction of the costs that organizations face. One high-profile case required a Hollywood-based hospital to pay $17,000 to regain access to its data. Yet the financial outlay from paying the actual ransom typically costs far less than collateral damage.
Quantifying the Real Costs of Ransomware Attacks
Employees' productivity declines: Lost employee productivity is a major ransomware cost. When your team is unable to access email, customer information, and other essential systems, they're not able to get their work done and keep your business moving forward. According to the Aberdeen Group, the cost of downtime per hour ranges from $8,581 for small businesses to an astronomical $686,250 for enterprises. An outage of just one day can range between $205,944 and $16,470,000. Email continuity systems can keep your employees connected and working even during an attack.
Customers' access impacted: If locked down systems or encrypted data is linked to the customer experience, the financial damages can be further reaching. From brand damage to the inability to get customers what they need, lack of access to data can bring client-facing operations to a grinding halt. For example, in a healthcare setting clinical staff may be unable to access treatment or prescription data and need to send patients to another facility. Banks may be unable to accept deposits or provide accurate balance information via online banking portals. Customers who find out about ransomware attacks can develop negative brand associations and question both employee judgment and infrastructure security. It's hard to quantify the losses, but stock prices can drop and customers can take their business to the competition.
Potential regulatory and compliance fines: In certain industries, compromised data can be seen a security failing. Each breach or ransomware attack can lead to regulatory fines and penalties, such as in the healthcare industry or in banking. In healthcare, for example, HIPPA-covered organizations can face fines between $10,000 and $25,000 per incident – up to a maximum of $1 million per year. Nominal investments in the right solutions and employee training can help prevent ransomware attacks and recoup the investment many times over.
The cost of recovery and the potential for data damage: Restoring data after a ransomware attack isn't fail-proof or inexpensive. Key files may be deleted or inadvertently damaged during the restoration process. Bugs in the decryption software can lead to data losses. Even if decryption proceeds smoothly, businesses have to invest in IT staff time to get back online. Often a ransomware event also signals a complete forensic analysis of the current setup, network vulnerabilities and investments and strategies to prevent future issues which are time-consuming and potentially expensive.
Your team works hard to attract and serve your customers. Don't let a ransomware attack derail your business and have a negative impact on your bottom line. Mimecast's layered solution brings together email protection, business continuity and data replication capabilities into a single cloud solution that helps you protect against the threat of ransomware.
Contact us today to learn more.
More than 50 new types of malware used in ransomware attacks were released in the first half of 2016 alone. The pace of ransomware attacks is escalating. Nearly 40% of companies have been hit with ransomware attacks this year, and the Federal Bureau of Investigation estimates that the cost per incident is $330,000 when factoring ransomware, downtime, and data recovery. A viable cyber resilience strategy must take a layered approach to combat the realities of a much more complex malware environment.
It's not enough to focus on prevention. As new tools come on the market that allow non-technical criminals to enter the ransomware game for less than $40, businesses need to think about continuity planning before an attack occurs. Companies must think strategically about integrating a layered approach that defends on multiple fronts through targeted threat protection, data archiving and business continuity planning.
Email Ransomware Attack Prevention:
The Wall Street Journal estimates that 99% of ransomware attacks begin with an email. Users download a file or click on a link that infects computers, servers or networks with malware. Data is then locked down or encrypted until a payment is made; then, hopefully, the criminals behind the attack provide an encryption key.
Protecting your email is the frontline defense system against ransomware attacks. Companies can focus on a handful of interrelated solutions to help decrease the chances of emails compromising their system:
- Employ real-time scanning of all emails to help identify phishing and suspicious emails and links from questionable domains across email platforms and devices.
- Intelligent sandboxing solutions scan all attachments before they are delivered to recipients, minimizing the chances of ransomware attacks.
- Dynamic feedback alerts employees to potentially threatening emails, raising awareness and informing better decision-making.
- Email policies, employee training and running tests ensure that team members make smart decisions and complying with company IT procedures.
Ensure Employees Can Continue to Work During an Attack:
When a ransomware attack freezes your network and restricts access to data, productivity grinds to a halt. The losses can be staggering. One report from the Aberdeen Group estimates hourly losses ranging from $8,581 for small businesses to $686,250 for enterprises. Business continuity planning can keep your workers online and connected to email; with the right systems, employees and customers may be unaware that an attack is underway. Email continuity systems provide access to live and archived mail across devices, as well as contacts and calendars. Regular business operations can continue, while your IT team works behind the scenes to solve the problem.
Data Replication Capabilities:
When criminals want to take your data hostage, one of the best strategies you have to defeat them is your data replication strategy. Consider developing an archiving strategy that backs up your data from local drives – as well as third-party providers – in completely separate and unreachable files. Use systems and policies that disconnect backups from the main network after they occur.
Not only does this ensure that your data isn't lost or damaged during a ransomware attack, but it gives your organization a broader range of choices when dealing with the perpetrators.
The statistics for ransomware today can be daunting – and it quickly becomes apparent that no single solution can help companies prevent these malware attacks. However, cyber resilience is built on a layered strategy that prioritizes protecting your email, educating employees, creating viable data replication strategies, and keeping your business online during and after attacks. Mimecast's layered solution brings together email protection, business continuity and data replication capabilities into a single cloud solution that helps you protect against the threat of ransomware.
Contact us today to learn more.