It’s been about a year since we first looked at the Equifax hack back in 2017. This was covered in my blog called “Richard Smith – House Husband”, a reference at that time, to the new job title of the previous Chief Executive of Equifax after they were the subject of a hack resulting in a huge loss of data.
I thought it was worth circling back over this topic though, as a short time ago Equifax made some revelations about the cost of fixing the damage done in that data breach.
I think there are lessons to be learnt about how we see security. Many see it as an expense to be minimised, while others see this as something that is as simple as paying a few pounds to their insurer to make the problem go away. I would like to propose that a different perspective is needed that recognises the realities. You probably do need some element of insurance and you should talk to your insurance broker about what is appropriate for a business of your size. However, in addition, you need to be spending something on security and have a plan to reduce your exposure. Security, at least from my perspective, is not expensive. Done with a good plan and some focused investments it can be very good value for money.
So how much is good enough security?
Well before we get to that you should know where you are in security terms. Nitec customers have access to a security portal which shows, in a series of charts and widgets, which security items are implemented, and which aren’t. This is a huge help to start a discussion. You can then easily decide what is important and needs planned and what can be skipped. You can also take some advice regarding some base lines that are essential. As a Nitec customer, generally the internal IT contact can articulate in layman’s terms what they have done and what still needs to be done. If you do not have some sort of mental image of how good your network security is I think it’s fair to say you have a lot of work to do. Either way the items are not going to break the bank.
Unlike Equifax’s bill for remediation, which was approximately $625Million. Luckily, they had insurance, however, unfortunately the insurance was limited to $125Million. So, the overall hit to Equifax’s bottom line this year will be $500Million. Similarly, for you, this is an important point, as you can’t just write a cheque to A.N. Other Insurer and then leave your important data whatever way you want. The takeaway: you cannot simply insure this risk and do nothing else.
Before we close the pocket book though there are a few more costs I want to point out.
How much is your time worth?
I would love to know how many hours of senior management time have been vacuumed up by meetings about this topic in Equifax. From what I see, the amount of senior time that gets diverted to damage control can be huge. You need to factor that in. When these moments happen, they are not only financially painful, they can also be hugely stressful and can completely distract you from the business of your business.
How good are your customer relations?
When a hack happens it’s hard to predict the collateral damage. For example, you send all your customers a fake bank account change. The resulting call to one of your best customers to negotiate how you are going to split replacing the missing cash probably isn’t going to deepen your relationship in the way you had hoped. These are conversations that you are much better never having at all.
This is based on my experience of seeing some hacks up close. Yes, we do see customers get hacked and there’s a reason for that. It’s down to us trying to implement a security plan and receiving pushback on various items on the plan, even something simple like a password policy or multifactor authentication. There is one universal truth though. In every incident the plan has been resurrected, dusted off and implemented with haste as soon as the hack happened. Things that previously were deemed impossible were in operation with minimal upset a week later. Once people see the reality, things just get done.
There are no guarantees and you cannot be completely secure. However, it is possible to get really good security and sleep well in the knowledge that hacking your systems is pretty hard, requiring the dedicated attention of a determined hacker rather than an email to the right person.
How much does ‘good enough’ security cost?
Returning to our question. How much does ‘good enough’ security cost? I honestly believe it is cheaper than fixing the damage afterwards. OK, that’s a bit of a cheat I know but, as a step in the right direction, know where you are right now and have a plan for where you are going. Then you, or we, can put a price on it.
If your current IT provider can’t answer that question or has never discussed a security plan with you, you could always call us and get a free security assessment. Even if you are just curious as to what a security score from one of Ireland’s leading IT providers looks like you should call. I mean, what’s the worst that could happen? At least you’ll know where you are and can start to plan. You might even sleep a bit better and that you genuinely can’t put a price on.