Measuring the Wild West Risks of Cyber Crime
When I was growing up in New Jersey, if someone hit you in the nose and took your lunch money, well, you didn’t eat lunch that day. In the cyber world the punches are bigger, the dollars are tremendous and you don’t eat lunch because once your intellectual and physical property is gone, so are the jobs and paychecks that IP created. It is well past game day for U.S. business and competitiveness. At this year’s Security 500 Conference, Lynn Mattice will moderate a panel on the subject. We caught up him to preview this critical panel discussion.
Security: Why do you call this the ‘new wild west?’
Lynn Mattice: Today, a single person can perpetrate a multi-million dollar cyber crime with impugnity. Activists, hacktivists, nation states, organized crime and rogue individuals are making careers as cyber thieves. The cost is high. In 2009, the Obama Administration Review identified the 2008 IP loss in the U.S. just as a result of hacking in excess of $1 trillion, and that was four years ago. The Ponemon Institute estimates the cost of a cyber breach at $318 per record, on average. So, think of Sony Playstation at $318 multiplied by 77 million IC3 cyber incidents reported to IC in 2009 in which 65 percent of the victims had no knowledge of being a victim until they were notified by a third party. In 2011 Symantec found the cost of cyber crime to be $338 billion annually, which exceeds the illegal, global drug trade.
On the defensive side, businesses and government are behind the curve and getting beat. There is no U.S. cyber breach law, so 47 states have their own, meaning three have no cyber breach laws. The EU has data breach laws and a number of other countries have written data breach laws. So, a global company’s ability to understand, comply with and manage cyber risk is very complex.
Security: So, what is next to fight cyber crime?
Lynn Mattice: On the macro level, this is a societal problem as organizations succumb to convenience. At some point, responsible governments will have to reach an agreement and work to prevent cyber crimes. In the meantime, businesses and consumers are on their own. We expect to see class action law suits from shareholders to force stronger compliance around data protection as well as investment in policies and technology. For example, policies around BYOD or international travel, especially to Asia, on using clean mobile devices should be standard. Unfortunately, most organizations take the most expedient route. They hope it doesn’t happen to them or when it does, they pass the cost onto customers in higher fees. I often refer to this as the “Las Vegas theory” of managing risk.
Organizationally, the structure to assess, manage and respond to cyber events is not in place. In a few cases, global CSOs have responsibility for cyber security. But more often it is considered an IT issue, not a security issue. A recent McAfee study identified that only 30 percent of cyber crimes are even reported by U.S. businesses.
Security: Where do you see money being invested against cyber crime?
Lynn Mattice: The greatest challenge to funding is that no one can accurately measure the risk an organization faces in dollars. So, putting money against that risk and gaining funding is a great challenge. Clearly, after an event the dollars flow. Sony, for example, has invested heavily since the Playstation breach. Second, competitors in the same industry immediately gain a case study and can identify the threat to their business in real dollar risk and justify investing in cyber security. For example, if the Sony breach and the Ponemon estimate are accurate, then the cost to Sony was $318 multiplied by 77 million records. Companies in similar businesses can evaluate their dollar risk and understand their vulnerabilities. Third, a business where data management is their core marketing proposition must have zero tolerance for breaches and take every action available. ADP, SFDC, Switch, Fidelity and WellPoint are examples of companies that securely manage customer information and no cost is too high because the cost of a breach would be more. And last, where leadership understands this is part of their fiduciary responsibility. There are CEOs that consider this a serious part of their job because they focus on doing everything well, not just some things well. And they hire like-minded CSOs and CIOs.
Security: Thank you, Lynn. I look forward to seeing you in New York!
This article was previously published in the print magazine as "The New Wild, Wild West of the Internet."