How I Learned to Stop Worrying and Love Cyber Security: Sera-Brynn CEO Perspective

By Rob S. Hegedus

CEO, Sera-Brynn

In a market economy, supply follows demand, and the demand for cyber security will reach over $170B in the next five years. Not surprisingly, it seems a lot of companies are jumping into the market. “Cybersecurity” is now the “service du jour.”

Traditional information technology firms, government contractors, and even educational-based companies have added it to their offerings. But be careful. In most cases, these firms will advertise vulnerability scans and penetration tests, or just try to sell you the latest and greatest technology to counter hacker threats. These may have been good options five years ago, but the market and threat environment has shifted significantly since 2010.

Paying a firm to tell you where your weaknesses are sounds good, but now you’re obligated to fix them, regardless of cost, or incur the additional liability once the inevitable data breach happens. And if that new tool doesn’t stop the next data breach, there is zero liability on the company that sold you that technology.

The good news is meeting current cyber threats doesn’t have to be confusing or expensive. At Sera-Brynn, our team believes the best strategy is not some yet undiscovered tool or process. The best strategy lies in using an already established infrastructure. The following are some hints and strategies we suggest you consider to limit your cyber vulnerabilities and, more importantly, exposure to financial loss.

Hint #1: Technology alone is NOT the answer.

Product development is increasing at breakneck speed. Much of this is fueled by start-ups chasing VC funding for the “next big thing” in cyber security.

Unfortunately, unless these tools (and they are only tools) are employed in a strategic and systematic manner with analysts who can understand the tool and glean actionable data, they may not really offer much protection compared to their costs. In fact, in most cases, it’s actually difficult to justify the ROI on cyber security technology purchases. Cybersecurity dictates employing a “defense in depth” strategy to protect the entire enterprise.

Very large companies can afford to employ the talent needed to ensure the right categories of technologies are used in the right places.

These categories include SIEM, Firewalls, DLP, Forensic Analysis, Email and Web Security, IDS/IPS, and ATP, to name a few.

Everyone else is at the whim of the loudest and most convincing vendor. Mid-sized businesses (and this includes educational institutions, healthcare facilities, and most non-federal government agencies) are left to figure out, on their own, which technologies to use for their unique network environment. Without justifiable ROI projections, good luck selling this strategy to the CFO. So if technology alone is not the answer, what should a business focus on?

Hint #2: Cyber Criminals are like toxic mold.

By this, I don’t mean cyber criminals are sub-life forms that pose a passive threat to your well being and thrive is dark, dank environments (although in some cases this is true).

There’s an analogous relationship between the sick building syndrome of the 1980’s caused by toxic mold and the cybersecurity crisis we face today.

When toxic mold became a mainstream threat, the first on the scene were a plethora of environmental remediation vendors with mold mitigations strategies and technologies. But as the health threat to this now well publicized issue became more acknowledged throughout the country, individual homeowners, developers and real estate investors became inundated with mold mitigation products, strategies and processes. The solution became more confusing than the problem. Sound familiar? So, where did everyone finally turn to address this risk? Insurance. This leads me to the next hint….

Hint #3: Insurance…sure it’s boring, but it can save you a lot of $$$.

The things you need to deal with after a data breach (that you haven’t even though of yet) are all insurable events. These include crisis management, internal and external communications, identity protection, forensics, remediation, and legal costs.

However, not all insurance policies are created equally. It took the insurance industry a little while to consolidate actuarial standards across toxic mold exposure, and the same will be true with cyber liability.

We believe the insurance industry will drive the standards to limit a business’s exposure, as it will be in their best interest to limit claims payments. And those standards are slowly being adopted from already recognized industry standards, namely cyber compliance standards. Make sure the cyber security firm you’re dealing with understands those standards and has a relationship with their insurance counterparts, otherwise their services may not be as valuable in the long run as you think.

Hint #4: Compliance is like “Hot Potato.”

After a data breach, the game of hot potato begins…also known as the search for culpability.

There is one guaranteed way to ensure the potato stops with you: non-compliance.

It’s human nature to assign blame after an incident, and public opinion generally sides with the prepared. After all, you can’t prevent a data breach, but you can meet minimum compliance standards. In addition to reputational loss (which can usually be managed), there are more tangible financial consequences of not being compliant. Those can be deal-breakers.

If you are a retailer that processes credit cards, the card brands, processors, or acquiring bank can levy fines if your business is not PCI compliant. If your business holds Protected Health Information, the Office of Civil Rights can fine you in the millions of dollars if you’re not HIPAA compliant. If you’re an auto dealer or debt collector, the FTC can take you to court for not adhering to the Red Flag Rules. The list goes on.

Compliance is the strongest firewall against fines and litigation, and we’ve seen a significant increase in those lately. Which leads me to…

Hint #5: Don’t trust a forensics firm that doesn’t hang up when you call them.

This hint is pretty straightforward: lawyer up right after a breach. In fact, it’s even better to build an incident response plan that includes legal points of contact before any breach happens.

You are better protected if your legal representation hires the post-breach forensics team than if you do it yourself.

In every case, our forensics activities were executed in cooperation with legal representation. Just to drive this point home even more, most of our cyber consulting activity involves some form of legal support. For example, we design secure network infrastructures for joint ventures across the globe, but even the most secure system is useless if it doesn’t comply with host country security requirements, which is why we work so closely with law firms. Any professional forensics firm will have similar relationships and will direct you to a lawyer when you call them. If they don’t, you should be the one hanging up.

Hint #6: It’s all about the money.

Very large firms don’t care as much about cybersecurity as you should, and for good reason.

Proportionally, it won’t cost them as much. Consider the Target breach. Target lost 40 million debit and credit card number and 70 million other records. Total cost to remediate? $252 million. Insurance covered $90 million (see Hint #3), and after additional tax deductions, the total loss was $105 million. That equates to .1 percent of Target’s 2014 revenue. Home Depot faired even better. They lost 56 million credit and debit card numbers and 53 million email addresses for a total loss of $28 million. After insurance (again, Hint #3), Home Depot’s total loss was $15 million, or .01 percent of their 2014 revenue. Easily absorbable.

Now consider the typical small or medium-sized business. The odds of suffering a significant data breach are about 11% every year, and the typical cost per breach averages out to $385,000. Some of our small business clients have suffered data breach costs well north of that amount. This also means, statistically, given enough time, a data breach is almost inevitable. Furthermore, while very large companies can absorb the cost of a breach, small and medium-sized businesses can’t. This explains why 60% of small businesses that suffer a data breach are out of business within six months. However, it doesn’t make economic sense to spend more than the average breach cost on technology to “shore up the defenses.”

Most small business couldn’t afford it anyway. What they can afford, however, is meeting compliance requirements (which will dictate what kinds of security technologies to employ), getting the right insurance in place, and putting an incident response plan in place now. Which leads me to our last hint.

Hint #7: You don’t plan for a hurricane after it hits.

Incident Response planning is akin to disaster preparedness…it’s best to do it before the disaster strikes.

Building an incident response plan ensures all of the institutional players are on your team ready to help once the data breach occurs. Your cyber security / forensics firm will be ready to work with your insurance carrier, lawyers, crisis management team, financial representatives, and law enforcement to ensure you’re not left holding the bag after disaster strikes. A good cyber security firm will bring these players to the table as part of their support long before any data breach occurs. One dollar of planning now can save $100 after a breach. And unlike pitching the next new technology, this approach to cyber risk management is something any CFO can understand.

###

About Sera-Brynn: Sera-Brynn is a global Cyber Risk Management firm that is dedicated to helping its clients secure their computing environments and meet applicable mandatory industry and government compliance requirements. Technology can no longer guarantee safety from data breaches, which is why Sera-Brynn focuses on the GRC strategies all organizations and businesses must employ to protect themselves and their reputations after the inevitable data breach. Specifically, Compliance, Insurance, and Response.

Ranked #16 in the Cybersecurity 500 hottest companies in the world, Sera-Brynn is the only PCI QSA in North America directly partnered with a $6B financial institution, and the firm works closely with the insurance industry, legal offices nationwide, crisis management firms, financial institutions and law enforcement at all levels to provide the best possible protection to our clients. Sera-Brynn is therefore the only cyber security firm able to offer and manage full cyber risk management services all under one roof.

This holistic and all-inclusive approach to Compliance, Insurance and Response has ensured Fortune 1000 companies, hospital networks, retail establishments, government agencies, financial institutions, higher education, national non-profits, and small businesses all receive the most comprehensive, proven, and trusted protection against damage from a cyber-attack available on the market today.