Cybercrime is an increasing threat. Estimates vary widely, but according to a recent Reuters article, “Cyber crime costs (the) global economy $445 billion a year.” Other estimates place the costs as high as $1 trillion.
The reason estimates vary is due in part to the fact that cybercrime can come in many forms, ranging from denial of service, theft of credit card or other financial information (PCI/PII), industrial espionage, all the way up the ladder to state-sponsored terrorism. In fact, not all cyberattacks are reported. Some institutions are tight-lipped about data breaches for fear of drawing attention to themselves, making it even harder to arrive at a dollar figure is the fact that there is disagreement as to what exactly constitutes cybercrime. Identity theft or denial of service would be universally accepted as examples, but what about the exchange of copyrighted material? Increasingly, cybercrime is perpetrated by insiders – disgruntled employees or former employees – with access to confidential or proprietary information. In some cases, the breach may not even be known, at least immediately. And how exactly do you measure the value of information, especially in cases where the original data remains intact?
As a case in point, a massive cyberattack launched in late 2014 and widely assumed to be the work of North Korea, was directed against Sony Pictures. Presumably, the attack was motivated by displeasure over Sony’s pending release of The Interview, a comedy film which included a scene depicting the assassination of North Korean leader Kim Jong-un. The virtual attack opened with threatening images and sound effects as employees logged on to their computers, and then proceeded to erase data on file servers and workstations across Sony’s network. Worse yet, prior to deleting the data, the perpetrators stole it. Over the coming weeks, they released stolen documents (including documents containing employee salary and social security numbers), unreleased film footage, unreleased movie scripts, and – most notoriously – embarrassing email from Sony executives. The released messages contained highly confidential information, exposing creative differences, positions on financial negotiations, questionable travel and other expenses, as well as unflattering comments directed at people both inside and outside the organization. The release of The Interview was eventually cancelled, following fears of attacks on theaters screening the film. Yet, while the cost to Sony was clearly substantial, how does one measure the opportunity cost of an unreleased film or the damage caused by the disclosure of an ignominious email?
Other than to law enforcement or other governmental agencies, measuring the true cost of cybercrime is a subjective and relatively meaningless exercise. Rather than measuring the costs to an organization that a potential cybercrime might inflict, most CIO’s would simply prefer to avoid the threat to begin with. Particularly with growing internal, as well as external threats, companies need to safeguard proprietary data and other sensitive information. This entails partnering with experts in cybersecurity and information governance, and investing in new technology, software, and employee training.
Below are three steps to take if you plan to protect your information from security breaches and hacks:
- Develop a plan: Don’t wait until you’ve already been hacked before you test the security of your data.
- Encrypt data: Limit access to your critical information, and don’t assume everything needs to be internet-accessible.
- Spread the burden: Don’t treat data security solely as the domain of your IT department. It’s an organization-wide effort.
Click here to download our latest white paper on PCI PII and learn to secure your organization’s data