In late November, Marriott International announced that 500 million customers may have had their data stolen, including passport and credit card numbers, as a result of a breach that lasted for four years. Within days a class action lawsuit was filed and there’s no doubt the company is spending money on public relations and ensuring the business is safe from further intrusions.
As embarrassing as a breach is for Marriott, it’s also going to be costly. Target, which experienced a breach in 2013, spent an estimated $300 million to revamp its cyber-security measures and pay settlements to credit card companies and customers. The cost of a 2017 cyber attack on FedEx was also estimated to be around $300 million.
While Marriott may be the most recent company to announce a data breach, it won’t be the last. Businesses around the world regularly get compromised, and it’s often up to a company’s finance team to manage the cost of a security risk.
Risks are rising: In the first half of 2018, 4.5 billion records were stolen globally, up 133 per cent from a year earlier, according to digital security firm Gemalto. It’s not just large companies that get attacked either. According to Statistics Canada, about 20 per cent of cyber attacks that occurred in 2017 targeted businesses with 10 to 49 employees.
Battling an attack can get pricey, with Canadian companies spending on average $6.1 million on breach-related expenses, up 5.6 per cent from 2016, according to the Ponemon Institute. In 2017, about half of Canadian businesses reported an impact to employee productivity as a result of a cyber-security incident, according to Statistics Canada.
What’s worse, though, is that a cyber attack can slow down growth, says Jason Bero, Global Black Belt, Modern Workplace at Microsoft. “A CEO once told me, ‘I can’t quantify the total amount of a breach, but it impacted the total cost of progress,’” he says.
While more executives are aware of how costly a breach can be, many businesses aren’t prepared enough. It’s often hard for a chief financial officer to allocate funds to something that may not happen. A breach, though, can be more expensive than the cost of taking appropriate steps to prevent one. “Executives need to understand the overall cost of not being prepared,” says John Hewie, National Security Officer with Microsoft Canada. “The cost to clean up the IT environment can be expensive but the loss of trust in your brand can be more damaging.”
Today, cyber security is about more than just protecting against a breach. With the bad guys constantly adjusting their strategies and responding to the latest defences, any software that’s used must help companies stay one step ahead. “The old way of protecting was to build a fortress around your organization to keep bad things out,” says Hewie. “Today organizations must think in terms of resilience and be able to quickly detect and remediate incidents before they become breaches.”
Some companies are now looking at tools that allow them to react faster to attacks than a human can. Intelligent technology, as it’s called, uses advanced analytics, machine learning and behavioural analysis to help automate, detect and respond to a cyber attack. “We need to eliminate or reduce a lot of this human intervention,” says Hewie.
LOOK AT LOGINS
Fortunately, there are practical things you can do to reduce your vulnerability. For instance, companies are adopting facial-recognition software to create passwordless environments. That will make it harder for hackers to enter through the front door. Windows 10’s Hello feature, for instance, allows users to log on to their computers via facial recognition. Not only does it increase security, but it also allows people to get onto their computers faster than they would with a password. “I rarely have to use my corporate password these days,” says Hewie.
A simple way to protect against intrusions is to make sure staff turn on multifactor authentication on the apps and programs they use, says Bero. While people still need to input a password, they also have to verify their identity in a second way, such as by entering a code sent by text. “Run modern software and keep it up to date, use complex and unique passwords, reduce privileged accounts and implement some form of multi-factor authentication,” says Hewie. Microsoft Secure Score is also an easy way to understand your security position in the form of a KPI.
To truly protect against a cyber attack companies need to create a culture of security across the entire organization. Employees must learn to identify and report suspicious activity and operate online in a way that’s not putting their organization at risk. Finance teams must also invest in the right security solution early, before an attack threatens to derail a business. “It has to be a shared responsibility,” adds Bero. “Everyone needs to take part.”