Poor security practices hit productivity first, expert says

Poor security practices hit productivity first, expert says

Brian Chappell from BeyondTrust says that the first and best line of defence against cyberattacks is always the workforce

There’s no doubt that cyberbreaches and attacks can have serious consequences but Brian Chappell, Senior Director, Enterprise and Solution Architecture, BeyondTrust says that  although there are plenty of technical solutions, the first and best line of defence is always the workforce.

Forget the common sense that goes into maintaining a high level of cyberhygiene, forget about how much money you’ve already spent on security, forget about the cost of mitigating a data breach and forget about the ethical points of keeping private data private. Forget about the legal ones too, for that matter.

Just think about productivity and just how much lag your workplace could really afford if suddenly, your business was to grind to a halt.

Our annual Privileged Access Management survey, which surveyed nearly 500 IT professionals between May and June 2017, showed that the large majority, 66%, suffer losses of productivity as a direct result of poor security practices.

Those productivity losses, our survey also found, caused organisations an average loss of US$4.2 million.

That wasn’t the only outcome – 23% of respondents mentioned harm to reputation as an impact and 21% said they had been subject to legal or compliance penalties. A small amount said they had to deal with criminal prosecution too.

Still, this should come as a vindication of what security professionals have always known – that good cybersecurity practice does not hinder productivity. Ultimately, it enables it.

A whaling scam can send workers running up and down the office, looking to fulfil the demands of someone they believe to be their boss while an insider theft can prompt a lengthy, cumbersome security audit and a regular old network breach can switch staff priority to damage control instead of their normal duties.

But the best example is ransomware, the preeminent cyberthreat to individuals and businesses globally. Were an employee, or even your boss, to absent-mindedly click on a phishing link, you may soon find yourself looking down the barrel end of an encrypted network, paralysed business and thousands, if not millions, in lost revenue.

And that’s before you even pay the ransom.

This doesn’t just go for the non-technical employees, but IT staff too. There are a variety of cases in which workforces have done the right thing, for the most part, only for their IT providers not to have patched or backed up regularly, leaving all that good work for nothing.

Losses from ransomware are estimated to have ballooned 15 times over the last two years to reach US$5 billion for 2017. Much of that figure will not even be from ransom payments which often end up being cheaper than the restoration costs, data loss and most importantly, business paralysis that prove so costly.

To be clear, that isn’t an endorsement of paying up, it’s merely a warning against ever having to make that choice.

The scale upon which it can sew destruction was revealed only a few months ago. When the WannaCry ransomware attacks hit in May 2017, it took down parts of the Chinese public security bureau, the Russian Internal Ministry, the Romanian Ministry of Foreign Affairs, four Indian state governments, one Indian state police force and 42 National Health Service Trusts, choking frontline public health services in the UK. That’s some productivity loss.

It took around a month for it all to happen again. The NotPetya attacks wreaked a similar, if slightly diminished, amount of havoc on public institutions and multinational giants.

FedEx, Russian oil company Rosneft and the world’s largest advertising agency, WPP, were all hit with the ransomware. International consumer goods giant, Reckitt Benckiser, which is responsible for household brands like Dettol, Strepsils and Clearasil said that the attack could have punched a £100 million sized hole in the company’s revenue.

The world’s largest shipping container business, Maersk, revealed a US$300 million loss a short while after. Responsible for around 15% of the globe’s shipping, the NotPetya attacks took a large swing at the company’s third quarter results.

Even a month after the attacks, some companies were still scrambling to make sense of exactly what the final recovery bill would be.

Perhaps the most notable quality of NotPetya was that even if its victims paid up (which, once again, I do not recommend), they could not get their data back. The ransomware was written without a victim ID, making it impossible for even its controllers to decrypt.

Of course, this is an extreme example. Our respondents were far more likely to be the victims of smaller scale attacks, costing them a smaller amount, but the point stands that much of this kind of global havoc and the hundreds of millions in lost revenue, hinged on the poor security practices of many. Including, most notably, a simple failure to patch the EternalBlue vulnerability which was used in both cases and for which a fix was issued months earlier.

Don’t get me wrong, the 23% who reported reputational damage as a direct result of poor security behaviour is nothing to sniff at. A PwC’s economic crime survey for 2016 labelled it as the most damaging impact of a breach. Avid Life Media felt that sting particularly keenly after the well publicised breach on Ashley Madison, the online dating service for married people, forced the CEO out and prompted the company to rebrand entirely.

While the 21% who complained of legal and compliance penalties were the least populous of the three groups, they were also the most heavily taxed for their failures. The average monetary loss for our respondent was US$4.2 million but those that had to face a court case or hear the heavy hand of the regulator at their door lost an average of US$11 million.

The regulators hand can indeed be heavy. And it will become heavier still, when May comes around.

The EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018 and promises to overhaul Pan-European data protection regulation not just for residents but anyone who does business with Europe.

It introduces a whole new raft of security measures including reporting requirements and importantly, a variety of basic security measures. Should a company or organisation fall short of those requirements they will face vindictive fines of up to €20 million or four percent of global turnover (and this is important), whichever is higher.  That US$11 million figure may soon be dwarfed.

There are a variety of good technical solutions to nip these problems in the bud and BeyondTrust can provide you with plenty of them but your workforce will always be your first and best line of defence. Making sure they know how to spot a phishing email, which is still the main attack vector for so many campaigns, will be the difference between a smooth running business and a paralysed one.

That has to be upstairs as much as down. For some, there is a reigning idea that cybersecurity is merely a road block to an efficient workflow. Workforces find it cumbersome to work around blocked applications and applications and c-suite executives don’t want to bother with long, complicated passwords. We know that the reverse of that is true. Cybersecurity is as much a part of business continuity plans as anything else. Communicating that is an uphill battle, but a decisive one in the war against insecurity.

 

Browse our latest issue

Intelligent CISO

View Magazine Archive