Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Security & Business Resilience / Cyber Security News / Trends Column / Columns

Measuring the Wild West Risks of Cyber Crime

October 1, 2012

When I was growing up in New Jersey, if someone hit you in the nose and took your lunch money, well, you didn’t eat lunch that day. In the cyber world the punches are bigger, the dollars are tremendous and you don’t eat lunch because once your intellectual and physical property is gone, so are the jobs and paychecks that IP created. It is well past game day for U.S. business and competitiveness. At this year’s Security 500 Conference, Lynn Mattice will moderate a panel on the subject. We caught up him to preview this critical panel discussion.

 

Security: Why do you call this the ‘new wild west?’

Lynn Mattice: Today, a single person can perpetrate a multi-million dollar cyber crime with impugnity. Activists, hacktivists, nation states, organized crime and rogue individuals are making careers as cyber thieves. The cost is high. In 2009, the Obama Administration Review identified the 2008 IP loss in the U.S. just as a result of hacking in excess of $1 trillion, and that was four years ago. The Ponemon Institute estimates the cost of a cyber breach at $318 per record, on average. So, think of Sony Playstation at $318 multiplied by 77 million IC3 cyber incidents reported to IC in 2009 in which 65 percent of the victims had no knowledge of being a victim until they were notified by a third party. In 2011 Symantec found the cost of cyber crime to be $338 billion annually, which exceeds the illegal, global drug trade.

On the defensive side, businesses and government are behind the curve and getting beat. There is no U.S. cyber breach law, so 47 states have their own, meaning three have no cyber breach laws. The EU has data breach laws and a number of other countries have written data breach laws. So, a global company’s ability to understand, comply with and manage cyber risk is very complex.

 

Security: So, what is next to fight cyber crime?

Lynn Mattice: On the macro level, this is a societal problem as organizations succumb to convenience. At some point, responsible governments will have to reach an agreement and work to prevent cyber crimes. In the meantime, businesses and consumers are on their own. We expect to see class action law suits from shareholders to force stronger compliance around data protection as well as investment in policies and technology. For example, policies around BYOD or international travel, especially to Asia, on using clean mobile devices should be standard.  Unfortunately, most organizations take the most expedient route. They hope it doesn’t happen to them or when it does, they pass the cost onto customers in higher fees. I often refer to this as the “Las Vegas theory” of managing risk.

Organizationally, the structure to assess, manage and respond to cyber events is not in place. In a few cases, global CSOs have responsibility for cyber security. But more often it is considered an IT issue, not a security issue. A recent McAfee study identified that only 30 percent of cyber crimes are even reported by U.S. businesses.

 

Security: Where do you see money being invested against cyber crime?

Lynn Mattice: The greatest challenge to funding is that no one can accurately measure the risk an organization faces in dollars. So, putting money against that risk and gaining funding is a great challenge. Clearly, after an event the dollars flow. Sony, for example, has invested heavily since the Playstation breach. Second, competitors in the same industry immediately gain a case study and can identify the threat to their business in real dollar risk and justify investing in cyber security. For example, if the Sony breach and the Ponemon estimate are accurate, then the cost to Sony was $318 multiplied by 77 million records. Companies in similar businesses can evaluate their dollar risk and understand their vulnerabilities. Third, a business where data management is their core marketing proposition must have zero tolerance for breaches and take every action available. ADP, SFDC, Switch, Fidelity and WellPoint are examples of companies that securely manage customer information and no cost is too high because the cost of a breach would be more. And last, where leadership understands this is part of their fiduciary responsibility. There are CEOs that consider this a serious part of their job because they focus on doing everything well, not just some things well. And they hire like-minded CSOs and CIOs.

 

Security: Thank you, Lynn. I look forward to seeing you in New York!

 

This article was previously published in the print magazine as "The New Wild, Wild West of the Internet."

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Lynn Mattice

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+