'A stitch in time saves nine' — Mitigating security breach

As narrated in Homer’s Illiad, after many failed attempts to breach the city walls of Troy, the Spartans hid in a giant Wooden Horse and befooled the Trojans to sneak inside the city. Even after constructing a strong defensive wall, carelessness cost Trojans dearly and they had to lose their city. In modern age computing, we still use the term Trojan Horse or Trojan to designate a malicious computer program which misleads users of its true intent. Most of the times, it is difficult to quantify a security breach since it may trail a long-term effect. But it always helps to have some numbers in hand which help in prioritising implementations. Anindo Bandyopadhyay, VP, Technology, Xoxoday feels that it pays off to remain vigilant and apply preventive measures against both internal and external factors in the long run.

The Cost

Study on Cost of data breach conducted by Ponemon Institute and funded by IBM in 2017 reports that in India, for budding services company like ours the cost can run up to $3.4 Million annually if no security is in place. And this figure can shoot upwards substantially if the organization is open to other factors like BYOD, loss/theft of devices, usage of mobile devices, cloud dependency etc.

In the current age sales target, marketing pressure, client’s escalations, delivery deadlines many times put the security concerns in oblivion for budding organizations. Even though security measures are made trivial but still no one clamours for a security breach. A breach can cause immense loss if the concerned organisation is not prepared. Various factors which needs to be considered while calculating the cost of the data breach:

• The unexpected and unplanned loss of customers following a data breach
• The size of the breach or the number of records lost or stolen
• The time it takes to identify and contain a data breach
• The detection and escalation of the data breach incident
• Post data breach costs, including the cost to notify victims
• An attack by a malicious insider or criminal is costlier than system glitches and negligence (human factor).

Organisations must consider such factors beforehand to make better decisions about how to allocate resources to minimise the financial consequences when the inevitable data breach strikes.

What should an organisation do

Security implementations should never be considered as a target or a goal, rather an important process in helping achieve future sustainability and growth. To prove this the simplest example is that it pays to keep the customer. Clients/customers always have more faith in a secured application than on an application with no fortification.

Security implementations can be built using three pillars — identify, protect, respond. To begin with, every organisation should identify their critical assets, if lost or stolen will impact business the most. The next major step is to have a strong protection which in any case will not let the assets fall into wrong hands. Once the protection fortification is in place, the organisation must regularly review the fortification, check for upgradations and mend any loophole. Last but not the least in case of any untoward incident, the organisation should be prepared to act and respond appropriately. Post data breach response includes help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

It is always a good practice to imbibe compliances or processes which help in mitigating security risks. For budding organisations, it may appear costly to procure compliant accreditation, which mostly is a genuine case. In such a condition it is never harmful to simply follow the best-prescribed practices, indirectly improving the fundamentals of the application architecture and in turn helping the business grow.

A disciplined approach can only be implemented by following a top-down model, and the senior management in the organisation needs to be thoroughly involved in the implementation. Though appointing a Chief Security Officer (CSO) may look expensive for startups, a voluntary CSO role may be assigned to a capable team member. Employees should be trained regularly for the dos and don’ts.

Critical assets should be encrypted and stored away making them accessible to only authorised members. There are many free and open source tools readily available which can be frequently used to scan and report any vulnerability in the IT infrastructure. Using such tools helps in hardening the system. Incident management and reporting plan come handy if any such eventuality strikes.

Generally, it is difficult to foresee any missed scenarios from the perspective of a designer, creator or a manager of the organisation. To protect such loopholes, organisations can outsource help by hiring a security specialist, or launch bug bounty programs.

Conclusion

Security cannot be a onetime process, rather it should be implemented as a discipline and is required to be followed in every step of the software development lifecycle in the company. If a loophole in the fortification or the security implementation of IT solution left unattended, may cost a business dearly, in the long run, after all “A stitch at time saves nine”.

(source)