In matters of business, it is our natural inclination to ask, “What’s the ROI going to be?” But when we really look at a cybersecurity challenge as an example, taking a specific action such as penetration testing, the issue becomes less about ROI, and more about the avoidance of significant and unplanned costs as well as potential lost credibility. Although penetration tests do not encompass all preventative cyber-crime measures, they should be a routine protection tool in your arsenal.
If you aren’t proactively reinforcing your cyber-security measures, it’s not a matter of if, but when your business will fall victim to an attack from cybercriminals.
There are plenty of articles justifying protecting your business:
· We’re just halfway through the year, and 2020 is on track to set a new data breach record according to Security Boulevard.
· State of all data breaches as of June 2020 as reported by Selfkey: The first quarter of 2020 has been one of the worst in data breach history with over 8 billion records exposed.
· IBM looked at breaches across more than 500 organizations and pegged the average financial impact to the affected enterprise — from fines to lost worker hours — at $3.92 million
· According to Verizon Enterprise, 61 percent of data breach victims are businesses with less than 1,000 employees. Further, Cybersecurity Ventures reports that a business falls victim to a ransomware attack every 40 seconds—something it predicts will rise to every 14 seconds by the end of 2020.
· Accenture put together its own study of the costs of various types of cyberattacks with interesting results. Malware rates as the most expensive, with an attack costing victims up to $2.6 million. Perhaps more surprising, given its prominence in the news, ransomware came in close to the bottom of the list, with each attack costing “only” $646,000 on average.
Many professionals recommend performing penetration tests annually; however, everyone should realize it’s more about specific events or impacts to your systems that dictate when a penetration test is needed, including these types of scenarios:
- After any security related changes or patches
- Network infrastructure changes
- End-user policy modifications
- New applications or significant application changes
According to Marsh and Microsoft some technologies may add new risks if they have not been built in accordance with optimal security standards. Organizations are focusing more on technology and prevention than on prioritizing the time, resources, and activities needed to build cyber resilience.
Despite embracing technology and digital innovation, organizations have considerable uncertainty about the degree of cyber risk such new technologies bring.
Essentially any significant changes to your environment or at least once a year—whichever occurs first—is when you should consider conducting:
- Penetration testing
- Reinforcing cybersecurity policies
- Evaluating or updating your cyber incident response plan
- Cyber threat assessment and preparation
Coquina Systems has certified professionals that help our solution provider partners conduct these types of services for their clients.