IBM and the Ponemon Institute estimate the per-record cost of a data breach reached $154. While there have been a number of studies related to the expense of a data breach, there is little information about the cost of cyber security safeguards prior to a breach beyond a recent report indicating “the world-wide cybersecurity market topped $75 billion in 2015.” This data may be difficult to measure because pre-breach security precautions vary based on the size of an organization and the number of safeguards available.
Pre-breach cost may be difficult to assess, but it is clear that larger organizations are more willing and able to incur cyber security costs than smaller organizations. Although smaller organizations understand the importance of data security, adopting safeguards may boil down to a question of finances. However, smaller organizations are starting to find ways “low-tech” solutions to high-tech cyber security problems.
Due to the cost constraints of procuring high-tech safeguards against hackers, many smaller organizations are choosing to focus on the protection offered by a well-trained staff. Experts place a focus on employee training to compliment technology rather than relying solely on technology. The number of breaches over the last few years indicate that the newest and most expensive technology does not offer a perfect defense against cyber incidents.
For example, a recent report indicates that an estimated 80% of all breaches could be avoided merely by using technology that is already in place. Results from audits on cyber security have found that when asked, zero out of 15 people knew who to call within their organization when a breach occurred. Consequently, ensuring employees are trained to spot and address red flags is an inexpensive method to increase an organization’s cyber security.
Every individual in an organization’s workforce must be considered when organizing a training program since employees can span a number of generations. Recent reports indicate employee training must take into account how Millennials, Gen Xers and Baby Boomers approach technology so training can be individualized to each generation’s specific interests and capabilities. Nevertheless, all three generations share many bad habits, including using public WiFi and easy passwords, which could all be addressed through a generalized training session.
On March 13, 2016, the Wall Street Journal covered organizations that borrow tactics from the military for cyber security training. Specifically, by adopting training borrowed from hacking tournaments developed at DEFCON (the largest annual hacking convention), employees are trained against cyber attacks using tools available to the company. However, smaller organizations should not be discouraged if they don’t have the resources for training similar to those seen at DEFCON. Any training for employees on cyber issues is better than no training at all.
Forced to Use a Low-Tech Solution
Last month, Hollywood Presbyterian Medical Center was the victim of a “ransomware” hack that shut down their system unless Hollywood Presbyterian paid hackers their initial demand of $3.6 million dollars, or 9,000 Bitcoin. Ransomware is installed through phishing emails. Once installed on a system, the malware encrypts system files and blocks the owner’s access to the files. All files are deleted by the malware if the owner does not pay the ransom within a given time frame. Ultimately, Hollywood Presbyterian paid $17,000, or 40 Bitcoin, in ransom in order to get its system restored.
Reports indicate that while the computer systems were blocked “doctors ha[d] been communicating through fax messages, nurses [were] writing down patient information on paper charts and patients [were] forced to drive back to the hospital to claim test results.” This situation at Hollywood Presbyterian provides further evidence that low-tech solutions should not be dismissed.
Smaller organizations fall into what some experts refer to as “hackers’ cybersecurity ‘sweet spot’,” meaning they have more digital information to steal than an individual but less security than a larger corporation. Therefore, it makes business sense for smaller organizations to invest in cost effective safeguards against hackers like employee training.