“The more time you spend contemplating what you should have done… you lose valuable time planning what you can and will do.” – Lil Wayne
Don’t make the mistake of paying for your risk management during and after a breach, where you risk so much more. Make security priority today at a more affordable cost where you’re the one in control instead of the bad guys.
4D5A Security regularly assists organizations during their greatest hour of need, an urgent incident response. We’ve seen in the last year multiple ransomware attacks, intrusions into HIPPA managed environments (medical) and more. In some cases life support systems and emergency response were threatened. In others sensitive legal and private information was at risk potentially endangering the lives of others. ePHI (electronic private health information) and similar such data is powerful in the hands of an adversary and it’s worth a lot more than a credit card on the underground today.
Many smaller shops are still in the ad-hoc stage of maturity. Over time 4D5A Security strongly encourages that companies move towards having documentation, policy, and planning all in accordance with a risk management plan. In short, take some time to identify your crown jewels – what you need to protect the most. Is it availability of a server for web services, or protection of medical records by patients, or something else? Then look at HOW you’re protecting those critical assets and make a road map towards improving upon that over the next month, six months, year, and three years. Revisit that regularly and mature it over time.
If you think it costs too much, well it probably does…but the reality is you’ll pay for risk management now or later. The threats aren’t going away, they are getting to be more prevalent, diverse, and sophisticated. The average cost of just handling an incident technically is anywhere from $25,000-50,000 if you’re lucky, not including disclosures, credit watching, reputation and business loss, stock loss, etc. If you look at breaches within your industry you can get an idea of what they experienced for loss and apply it to your own assets and risk. Look at that total cost of ownership (TCO) and compare it against your priorities and budgets to improve your security posture. Remember, this isn’t about buying a firewall or hiring another IT guy…it’s about managing risk as a company. If everyone is on board with the same crown jewels protection than you’re on the right path towards working as a team with resources to protect them accordingly.
Be smart, plan ahead, work as a team, and protect your crown jewels today. Don’t take your functionality and accessibility for granted, it could potentially be taken away in a heartbeat by a bad actor inside of your network. You could be just one email away from a major ransomware event, one WIFI connection away from a major network intrusion, or one DDoS attack away from extortion.