UK Government research has highlighted that 74% of the country’s small businesses have suffered an online security breach. The cost of such averages between £75,200 and £310,800 through disruption, lost business, time spent dealing with an attack and several other factors.
When a return on investment can seem distant, many small business owners are unlikely to view cyber security as a priority. However, the value comes from the avoidance of a significant incident.
The fallout isn’t just limited to financial loss. Businesses can experience a significant impact on future revenue through reputational damage. Executive departures are also common as the responsibility ultimately lands with top management.
William Gerrity, former chairman and CEO of US-based retail property firm was subject to an attack that affected both his personal and business life. Gerrity received an email from an unknown sender demanding $150,000. Attachments in the email contained details of operating budgets and business plans, confidential memos between senior management as well as messages from Gerrity’s personal account regarding his recently deceased mother.
The attacker threatened to forward the documents to business partners and competitors unless his blackmail demand was paid. Gerrity found himself in the difficult position of paying the ransom or handing over even more information to the intelligence agencies so they could make an attempt at recovery – a near impossible feat. Mr Gerrity’s case is not unique.
In the previous article, we looked at how to identify which assets need protecting based on their intrinsic value (confidentiality, integrity and availability). The final stage before implementing security controls to protect those assets is deciding the level of protection required.
The cost of securing assets should be directly related to the risk that they pose to the organisation. The most common formula used for assessing this specific risk involves multiplying likelihood of an incident against potential impact.
To calculate the impact of an attack on an asset, we need to consider what it is that is most valuable and allocate it a score out of 10. This ranges from technical factors such as the loss of confidentiality, integrity and availability of data to business impacts such as financial damage, reputational damage and violations of people’s privacy.
Likelihood can be calculated by considering factors that either make the organisation an easier target or a valuable target. Larger organisations or companies involved in particularly lucrative or controversial business areas need to consider whether they are likely to be more vulnerable to targeting from organised criminals or even online activists. It may be that those trying to access a system are motivated by a specific business or an individual may be caught up in a larger attack. A number should also be attributed to these.
Additional factors related to existing security need to be considered. How easily could a potential attacker discover the asset? Is it a web server that can be seen by many or a device they need to have physical access to? The example below shows the standard method of assessment.
As a rule of thumb something can be said to be Low risk if its overall risk score is below 3, below 6 is Moderate risk and anything above that can be considered High risk.
Once a risk score is calculated you have a clear line of priority for each asset and can see a reason to invest in those deemed high risk. Your personal or organisational risk posture can be used to decide which of these to act on based on their score. Alternatively, if you don’t have a risk posture, actions can be based on the priorities we looked at in the first article of this series.
In the next part we’ll discuss how to act on the results and where best to spend your investment in cyber security.
Daniel B Brown is a security consultant at FarrPoint Ltd.